Dependency-Check is an open source tool performing a best effort analysis of 3rd party dependencies; false positives and false negatives may exist in the analysis performed by the tool. Use of the tool and the reporting provided constitutes acceptance for use in an AS IS condition, and there are NO warranties, implied or otherwise, with regard to the analysis or its use. Any use of the tool and the reporting provided is at the user’s risk. In no event shall the copyright holder or OWASP be held liable for any damages whatsoever arising out of or in connection with the use of this tool, the analysis performed, or the resulting report.

How to read the report | Suppressing false positives | Getting Help: github issues

Project: 

Scan Information (show all):

Summary

Display: Showing Vulnerable Dependencies (click to show all)

DependencyVulnerability IDsPackageHighest SeverityCVE CountConfidenceEvidence Count
HdrHistogram-2.1.6.jarpkg:maven/org.hdrhistogram/HdrHistogram@2.1.6 025
HdrHistogram-2.1.9.jarpkg:maven/org.hdrhistogram/HdrHistogram@2.1.9 025
accessors-smart-1.1.jarpkg:maven/net.minidev/accessors-smart@1.1 025
activation-1.1.jarpkg:maven/javax.activation/activation@1.1 031
aliyun-sdk-oss-2.5.0.jarpkg:maven/com.aliyun.oss/aliyun-sdk-oss@2.5.0 019
android-json-0.0.20131108.vaadin1.jarpkg:maven/com.vaadin.external.google/android-json@0.0.20131108.vaadin1 027
annotations-2.0.0.jarpkg:maven/com.google.code.findbugs/annotations@2.0.0 024
archaius-core-0.6.0.jarpkg:maven/com.netflix.archaius/archaius-core@0.6.0 018
asm-5.0.3.jarpkg:maven/org.ow2.asm/asm@5.0.3 035
asm-debug-all-5.2.jarpkg:maven/org.ow2.asm/asm-debug-all@5.2 035
aspectjweaver-1.8.9.jarpkg:maven/org.aspectj/aspectjweaver@1.8.9 033
assertj-core-2.6.0.jarpkg:maven/org.assertj/assertj-core@2.6.0 033
assertj-core-2.6.0.jar (shaded: cglib:cglib-nodep:3.2.4)pkg:maven/cglib/cglib-nodep@3.2.4 07
assertj-core-2.6.0.jar (shaded: cglib:cglib:3.2.4)pkg:maven/cglib/cglib@3.2.4 07
aws-java-sdk-core-1.11.22.jarpkg:maven/com.amazonaws/aws-java-sdk-core@1.11.22 023
aws-java-sdk-kms-1.11.22.jarpkg:maven/com.amazonaws/aws-java-sdk-kms@1.11.22 026
aws-java-sdk-s3-1.11.22.jarpkg:maven/com.amazonaws/aws-java-sdk-s3@1.11.22 026
aws-java-sdk-sts-1.11.22.jarpkg:maven/com.amazonaws/aws-java-sdk-sts@1.11.22 024
backport-util-concurrent-3.1.jarpkg:maven/backport-util-concurrent/backport-util-concurrent@3.1 025
btf-1.2.jarpkg:maven/com.github.fge/btf@1.2 026
cal10n-api-0.7.4.jarpkg:maven/ch.qos.cal10n/cal10n-api@0.7.4 026
classmate-1.3.3.jarpkg:maven/com.fasterxml/classmate@1.3.3 044
classworlds-1.1-alpha-2.jarpkg:maven/classworlds/classworlds@1.1-alpha-2 032
com.ibm.jbatch-tck-spi-1.0.jarpkg:maven/com.ibm.jbatch/com.ibm.jbatch-tck-spi@1.0 024
commons-beanutils-1.9.3.jarcpe:2.3:a:apache:commons_beanutils:1.9.3:*:*:*:*:*:*:*pkg:maven/commons-beanutils/commons-beanutils@1.9.3HIGH1Highest41
commons-codec-1.10.jarpkg:maven/commons-codec/commons-codec@1.10 040
commons-collections-3.2.2.jarcpe:2.3:a:apache:commons_collections:3.2.2:*:*:*:*:*:*:*pkg:maven/commons-collections/commons-collections@3.2.2 0Highest41
commons-collections4-4.1.jarcpe:2.3:a:apache:commons_collections:4.1:*:*:*:*:*:*:*pkg:maven/org.apache.commons/commons-collections4@4.1 0Highest38
commons-configuration-1.8.jarcpe:2.3:a:apache:commons_configuration:1.8:*:*:*:*:*:*:*pkg:maven/commons-configuration/commons-configuration@1.8 0Highest36
commons-digester-2.1.jarpkg:maven/commons-digester/commons-digester@2.1 037
commons-httpclient-3.1.jarcpe:2.3:a:apache:commons-httpclient:3.1:*:*:*:*:*:*:*
cpe:2.3:a:apache:httpclient:3.1:*:*:*:*:*:*:*
pkg:maven/commons-httpclient/commons-httpclient@3.1 0Highest32
commons-io-2.4.jarpkg:maven/commons-io/commons-io@2.4 036
commons-lang-2.4.jarpkg:maven/commons-lang/commons-lang@2.4 035
commons-lang-2.5.jarpkg:maven/commons-lang/commons-lang@2.5 035
commons-lang3-3.4.jarpkg:maven/org.apache.commons/commons-lang3@3.4 038
commons-logging-1.0.4.jarpkg:maven/commons-logging/commons-logging@1.0.4 036
commons-logging-1.1.3.jarpkg:maven/commons-logging/commons-logging@1.1.3 037
commons-logging-1.2.jarpkg:maven/commons-logging/commons-logging@1.2 036
commons-pool2-2.4.2.jarpkg:maven/org.apache.commons/commons-pool2@2.4.2 037
commons-validator-1.2.0.jarpkg:maven/commons-validator/commons-validator@1.2.0 037
commons-validator-1.2.0.jar: validateByte.js 00
commons-validator-1.2.0.jar: validateCreditCard.js 00
commons-validator-1.2.0.jar: validateDate.js 00
commons-validator-1.2.0.jar: validateEmail.js 00
commons-validator-1.2.0.jar: validateFloat.js 00
commons-validator-1.2.0.jar: validateFloatRange.js 00
commons-validator-1.2.0.jar: validateIntRange.js 00
commons-validator-1.2.0.jar: validateInteger.js 00
commons-validator-1.2.0.jar: validateMask.js 00
commons-validator-1.2.0.jar: validateMaxLength.js 00
commons-validator-1.2.0.jar: validateMinLength.js 00
commons-validator-1.2.0.jar: validateRequired.js 00
commons-validator-1.2.0.jar: validateShort.js 00
commons-validator-1.2.0.jar: validateUtilities.js 00
compiler-0.9.3.jarpkg:maven/com.github.spullara.mustache.java/compiler@0.9.3 023
cucumber-core-1.2.5.jarpkg:maven/info.cukes/cucumber-core@1.2.5 020
cucumber-html-0.2.3.jarpkg:maven/info.cukes/cucumber-html@0.2.3 010
cucumber-html-0.2.3.jar: formatter.js 00
cucumber-html-0.2.3.jar: jquery-1.8.2.min.jspkg:javascript/jquery@1.8.2.minMEDIUM53
cucumber-java-1.2.5.jarpkg:maven/info.cukes/cucumber-java@1.2.5 022
cucumber-junit-1.2.5.jarpkg:maven/info.cukes/cucumber-junit@1.2.5 022
cucumber-jvm-deps-1.0.5.jarpkg:maven/info.cukes/cucumber-jvm-deps@1.0.5 020
cucumber-jvm-deps-1.0.5.jar (shaded: com.googlecode.java-diff-utils:diffutils:1.3.0)pkg:maven/com.googlecode.java-diff-utils/diffutils@1.3.0 09
cucumber-jvm-deps-1.0.5.jar (shaded: com.thoughtworks.xstream:xstream:1.4.8)cpe:2.3:a:xstream_project:xstream:1.4.8:*:*:*:*:*:*:*pkg:maven/com.thoughtworks.xstream/xstream@1.4.8HIGH2Highest11
cucumber-spring-1.2.5.jarpkg:maven/info.cukes/cucumber-spring@1.2.5 022
doxia-core-1.1.2.jarpkg:maven/org.apache.maven.doxia/doxia-core@1.1.2 026
doxia-decoration-model-1.1.2.jarpkg:maven/org.apache.maven.doxia/doxia-decoration-model@1.1.2 028
doxia-logging-api-1.1.jarpkg:maven/org.apache.maven.doxia/doxia-logging-api@1.1 028
doxia-module-fml-1.1.2.jarpkg:maven/org.apache.maven.doxia/doxia-module-fml@1.1.2 028
doxia-module-xhtml-1.1.2.jarpkg:maven/org.apache.maven.doxia/doxia-module-xhtml@1.1.2 028
doxia-sink-api-1.1.jarpkg:maven/org.apache.maven.doxia/doxia-sink-api@1.1 028
doxia-site-renderer-1.1.2.jarpkg:maven/org.apache.maven.doxia/doxia-site-renderer@1.1.2 026
druid-1.0.23.jarcpe:2.3:a:alibaba:alibaba:1.0.23:*:*:*:*:*:*:*pkg:maven/com.alibaba/druid@1.0.23 0Highest28
druid-1.0.23.jar: bootstrap.min.js 00
druid-1.0.23.jar: common.js 00
druid-1.0.23.jar: doT.js 00
druid-1.0.23.jar: jquery.min.jspkg:javascript/jquery@1.8.0MEDIUM53
druid-1.0.23.jar: lang.js 00
ehcache-2.10.3.jarpkg:maven/net.sf.ehcache/ehcache@2.10.3 044
ehcache-core-2.6.11.jarpkg:maven/net.sf.ehcache/ehcache-core@2.6.11 021
ehcache-core-2.6.11.jar: sizeof-agent.jarpkg:maven/net.sf.ehcache/sizeof-agent@1.0.1 028
elasticsearch-5.2.1.jarcpe:2.3:a:elastic:elasticsearch:5.2.1:*:*:*:*:*:*:*
cpe:2.3:a:elasticsearch:elasticsearch:5.2.1:*:*:*:*:*:*:*
pkg:maven/org.elasticsearch/elasticsearch@5.2.1HIGH3Highest36
encoder-1.2.2.jarpkg:maven/org.owasp.encoder/encoder@1.2.2 023
ezmorph-1.0.6.jarpkg:maven/net.sf.ezmorph/ezmorph@1.0.6 025
fast-classpath-scanner-2.0.13.jarpkg:maven/io.github.lukehutch/fast-classpath-scanner@2.0.13 034
fastjson-1.2.70.jarcpe:2.3:a:alibaba:alibaba:1.2.70:*:*:*:*:*:*:*
cpe:2.3:a:alibaba:fastjson:1.2.70:*:*:*:*:*:*:*
pkg:maven/com.alibaba/fastjson@1.2.70 0Highest25
fever-batch-0.0.3-SNAPSHOT.jarcpe:2.3:a:pivotal_software:spring_batch:0.0.3:snapshot:*:*:*:*:*:*pkg:maven/com.github.fanfever/fever-batch@0.0.3-SNAPSHOTCRITICAL1Low25
fever-common-0.0.3-SNAPSHOT.jarcpe:2.3:a:pivotal_software:spring_boot:0.0.3:snapshot:*:*:*:*:*:*
cpe:2.3:a:pivotal_software:spring_framework:0.0.3:snapshot:*:*:*:*:*:*
pkg:maven/com.github.fanfever/fever-common@0.0.3-SNAPSHOTCRITICAL7Low25
fever-config-center-0.0.3-SNAPSHOT.jarcpe:2.3:a:pivotal_software:spring_boot:0.0.3:snapshot:*:*:*:*:*:*
cpe:2.3:a:pivotal_software:spring_framework:0.0.3:snapshot:*:*:*:*:*:*
pkg:maven/com.github.fanfever/fever-config-center@0.0.3-SNAPSHOTCRITICAL7Low19
fever-elasticsearch-0.0.3-SNAPSHOT.jarcpe:2.3:a:elasticsearch:elasticsearch:0.0.3:snapshot:*:*:*:*:*:*pkg:maven/com.github.fanfever/fever-elasticsearch@0.0.3-SNAPSHOTHIGH5High25
fever-mail-0.0.3-SNAPSHOT.jarcpe:2.3:a:pivotal_software:spring_boot:0.0.3:snapshot:*:*:*:*:*:*
cpe:2.3:a:pivotal_software:spring_framework:0.0.3:snapshot:*:*:*:*:*:*
pkg:maven/com.github.fanfever/fever-mail@0.0.3-SNAPSHOTCRITICAL7Low27
fever-metrics-0.0.3-SNAPSHOT.jarcpe:2.3:a:pivotal_software:spring_boot:0.0.3:snapshot:*:*:*:*:*:*
cpe:2.3:a:pivotal_software:spring_framework:0.0.3:snapshot:*:*:*:*:*:*
pkg:maven/com.github.fanfever/fever-metrics@0.0.3-SNAPSHOTCRITICAL7Low25
fever-migration-0.0.3-SNAPSHOT.jarcpe:2.3:a:pivotal_software:spring_boot:0.0.3:snapshot:*:*:*:*:*:*
cpe:2.3:a:pivotal_software:spring_framework:0.0.3:snapshot:*:*:*:*:*:*
pkg:maven/com.github.fanfever/fever-migration@0.0.3-SNAPSHOTCRITICAL7Low19
fever-search-0.0.3-SNAPSHOT.jarcpe:2.3:a:pro_search:pro_search:0.0.3:snapshot:*:*:*:*:*:*pkg:maven/com.github.fanfever/fever-search@0.0.3-SNAPSHOTMEDIUM2Low25
fever-shiro-redis-0.0.3-SNAPSHOT.jarcpe:2.3:a:pivotal_software:spring_boot:0.0.3:snapshot:*:*:*:*:*:*
cpe:2.3:a:pivotal_software:spring_framework:0.0.3:snapshot:*:*:*:*:*:*
pkg:maven/com.github.fanfever/fever-shiro-redis@0.0.3-SNAPSHOTCRITICAL7Low27
fever-sms-http-0.0.3-SNAPSHOT.jarcpe:2.3:a:sms:sms:0.0.3:snapshot:*:*:*:*:*:*pkg:maven/com.github.fanfever/fever-sms-http@0.0.3-SNAPSHOTLOW1Highest27
fever-upload-0.0.3-SNAPSHOT.jarcpe:2.3:a:pivotal_software:spring_boot:0.0.3:snapshot:*:*:*:*:*:*
cpe:2.3:a:pivotal_software:spring_framework:0.0.3:snapshot:*:*:*:*:*:*
pkg:maven/com.github.fanfever/fever-upload@0.0.3-SNAPSHOTCRITICAL7Low27
fever-web-0.0.3-SNAPSHOT.jarcpe:2.3:a:pivotal_software:spring_boot:0.0.3:snapshot:*:*:*:*:*:*
cpe:2.3:a:pivotal_software:spring_framework:0.0.3:snapshot:*:*:*:*:*:*
pkg:maven/com.github.fanfever/fever-web@0.0.3-SNAPSHOTCRITICAL7Low27
file-management-1.2.1.jarpkg:maven/org.apache.maven.shared/file-management@1.2.1 027
fluent-hc-4.5.3.jarcpe:2.3:a:apache:httpclient:4.5.3:*:*:*:*:*:*:*pkg:maven/org.apache.httpcomponents/fluent-hc@4.5.3 0Low33
fluent-validator-1.0.5.jarpkg:maven/com.baidu.unbiz/fluent-validator@1.0.5 025
fluent-validator-jsr303-1.0.5.jarpkg:maven/com.baidu.unbiz/fluent-validator-jsr303@1.0.5 026
fluent-validator-spring-1.0.5.jarpkg:maven/com.baidu.unbiz/fluent-validator-spring@1.0.5 025
flyway-core-3.2.1.jarpkg:maven/org.flywaydb/flyway-core@3.2.1 024
gherkin-2.12.2.jarpkg:maven/info.cukes/gherkin@2.12.2 018
guava-21.0.jarcpe:2.3:a:google:guava:21.0:*:*:*:*:*:*:*pkg:maven/com.google.guava/guava@21.0MEDIUM1Highest23
h2-1.4.193.jarcpe:2.3:a:h2database:h2:1.4.193:*:*:*:*:*:*:*pkg:maven/com.h2database/h2@1.4.193 0Highest31
h2-1.4.193.jar: data.zip: table.js 00
h2-1.4.193.jar: data.zip: tree.js 00
hamcrest-core-1.3.jarpkg:maven/org.hamcrest/hamcrest-core@1.3 026
hamcrest-library-1.3.jarpkg:maven/com.ontotext.graphdb/graphdb-free-runtime@1.3
pkg:maven/org.hamcrest/hamcrest-library@1.3
 035
hazelcast-3.7.5.jarcpe:2.3:a:hazelcast:hazelcast:3.7.5:*:*:*:*:*:*:*pkg:maven/com.hazelcast/hazelcast@3.7.5HIGH1Highest33
hazelcast-3.7.5.jar (shaded: com.eclipsesource.minimal-json:minimal-json:0.9.2-SNAPSHOT)pkg:maven/com.eclipsesource.minimal-json/minimal-json@0.9.2-SNAPSHOT 09
hazelcast-3.7.5.jar (shaded: com.hazelcast:hazelcast-client-protocol:1.3.3)cpe:2.3:a:hazelcast:hazelcast:1.3.3:*:*:*:*:*:*:*pkg:maven/com.hazelcast/hazelcast-client-protocol@1.3.3HIGH1Highest11
hibernate-validator-5.3.4.Final.jarcpe:2.3:a:hibernate:hibernate-validator:5.3.4:*:*:*:*:*:*:*
cpe:2.3:a:hibernate:validator:5.3.4:*:*:*:*:*:*:*
pkg:maven/org.hibernate/hibernate-validator@5.3.4.Final 0Highest32
hppc-0.7.1.jarpkg:maven/com.carrotsearch/hppc@0.7.1 021
httpasyncclient-4.1.3.jarcpe:2.3:a:apache:httpasyncclient:4.1.3:*:*:*:*:*:*:*pkg:maven/org.apache.httpcomponents/httpasyncclient@4.1.3 0Highest29
httpclient-4.5.3.jarcpe:2.3:a:apache:httpclient:4.5.3:*:*:*:*:*:*:*pkg:maven/org.apache.httpcomponents/httpclient@4.5.3 0Highest33
httpcore-4.4.6.jarpkg:maven/org.apache.httpcomponents/httpcore@4.4.6 031
httpcore-nio-4.4.5.jarpkg:maven/org.apache.httpcomponents/httpcore-nio@4.4.5 031
httpmime-4.5.3.jarpkg:maven/org.apache.httpcomponents/httpmime@4.5.3 031
hystrix-core-1.5.10.jarpkg:maven/com.netflix.hystrix/hystrix-core@1.5.10MEDIUM158
jackson-annotations-2.8.0.jarcpe:2.3:a:fasterxml:jackson:2.8.0:*:*:*:*:*:*:*pkg:maven/com.fasterxml.jackson.core/jackson-annotations@2.8.0 0Highest37
jackson-core-2.8.7.jarcpe:2.3:a:fasterxml:jackson:2.8.7:*:*:*:*:*:*:*pkg:maven/com.fasterxml.jackson.core/jackson-core@2.8.7 0Highest43
jackson-core-asl-1.9.11.jarcpe:2.3:a:fasterxml:jackson:1.9.11:*:*:*:*:*:*:*pkg:maven/org.codehaus.jackson/jackson-core-asl@1.9.11 0High35
jackson-coreutils-1.6.jarpkg:maven/com.github.fge/jackson-coreutils@1.6 030
jackson-databind-2.9.10.6.jarcpe:2.3:a:fasterxml:jackson:2.9.10.6:*:*:*:*:*:*:*
cpe:2.3:a:fasterxml:jackson-databind:2.9.10.6:*:*:*:*:*:*:*
pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.10.6 0Highest41
jackson-dataformat-cbor-2.8.7.jarcpe:2.3:a:fasterxml:jackson:2.8.7:*:*:*:*:*:*:*
cpe:2.3:a:fasterxml:jackson-dataformat-xml:2.8.7:*:*:*:*:*:*:*
pkg:maven/com.fasterxml.jackson.dataformat/jackson-dataformat-cbor@2.8.7 0Highest40
jackson-datatype-joda-2.8.7.jarcpe:2.3:a:fasterxml:jackson:2.8.7:*:*:*:*:*:*:*pkg:maven/com.fasterxml.jackson.datatype/jackson-datatype-joda@2.8.7 0Highest41
jackson-mapper-asl-1.9.11.jarcpe:2.3:a:fasterxml:jackson:1.9.11:*:*:*:*:*:*:*
cpe:2.3:a:fasterxml:jackson-mapper-asl:1.9.11:*:*:*:*:*:*:*
pkg:maven/org.codehaus.jackson/jackson-mapper-asl@1.9.11CRITICAL14High35
jacoco-maven-plugin-0.7.9.jarpkg:maven/org.jacoco/jacoco-maven-plugin@0.7.9 021
javaluator-3.0.1.jarpkg:maven/com.fathzer/javaluator@3.0.1 026
javax.annotation-api-1.3.2.jarpkg:maven/javax.annotation/javax.annotation-api@1.3.2 039
javax.batch-api-1.0.jarpkg:maven/javax.batch/javax.batch-api@1.0 023
javax.el-2.2.4.jarpkg:maven/org.glassfish.web/javax.el@2.2.4 034
javax.el-api-2.2.5.jarpkg:maven/javax.el/javax.el-api@2.2.5 038
javax.servlet-api-3.1.0.jarpkg:maven/javax.servlet/javax.servlet-api@3.1.0 037
jboss-logging-3.3.0.Final.jarpkg:maven/org.jboss.logging/jboss-logging@3.3.0.Final 044
jcl-over-slf4j-1.7.24.jarpkg:maven/org.slf4j/jcl-over-slf4j@1.7.24 024
jconsole-1.8.0.jar 010
jdom-1.1.jarpkg:maven/org.jdom/jdom@1.1 052
jedis-2.9.0.jarpkg:maven/redis.clients/jedis@2.9.0 026
jettison-1.2.jarpkg:maven/org.codehaus.jettison/jettison@1.2 022
jna-4.2.2.jarpkg:maven/net.java.dev.jna/jna@4.2.2 043
jna-4.2.2.jar: jnidispatch.dll 02
jna-4.2.2.jar: jnidispatch.dll 02
jna-4.2.2.jar: jnidispatch.dll 02
joda-time-2.9.7.jarpkg:maven/joda-time/joda-time@2.9.7 036
jopt-simple-4.6.jarpkg:maven/net.sf.jopt-simple/jopt-simple@4.6 013
jopt-simple-5.0.2.jarpkg:maven/net.sf.jopt-simple/jopt-simple@5.0.2 016
json-20140107.jarpkg:maven/org.json/json@20140107 021
json-lib-2.4-jdk15.jarpkg:maven/com.hynnet/json-lib@2.4
pkg:maven/net.sf.json-lib/json-lib@2.4
 028
json-patch-1.6.jarcpe:2.3:a:json-patch_project:json-patch:1.6:*:*:*:*:*:*:*pkg:maven/com.github.fge/json-patch@1.6 0Highest28
json-path-2.2.0.jarpkg:maven/com.jayway.jsonpath/json-path@2.2.0 035
json-schema-core-1.2.1.jarpkg:maven/com.github.fge/json-schema-core@1.2.1 031
json-schema-validator-2.2.3.jarpkg:maven/com.github.fge/json-schema-validator@2.2.3 028
json-smart-2.2.1.jarcpe:2.3:a:ini-parser_project:ini-parser:2.2.1:*:*:*:*:*:*:*pkg:maven/net.minidev/json-smart@2.2.1 0Low32
jsonassert-1.4.0.jarpkg:maven/org.skyscreamer/jsonassert@1.4.0 019
jsoup-1.10.2.jarcpe:2.3:a:jsoup:jsoup:1.10.2:*:*:*:*:*:*:*pkg:maven/org.jsoup/jsoup@1.10.2 0Highest28
jsqlparser-0.9.5.jarpkg:maven/com.github.jsqlparser/jsqlparser@0.9.5 023
jsr305-2.0.1.jarpkg:maven/com.google.code.findbugs/jsr305@2.0.1
pkg:maven/com.google.code.findbugs/jsr305@2.0.2
pkg:maven/net.sourceforge.findbugs/jsr305@1.3.7
 027
jul-to-slf4j-1.7.24.jarpkg:maven/org.slf4j/jul-to-slf4j@1.7.24 027
junit-4.12.jarpkg:maven/junit/junit@4.12 026
lang-mustache-client-5.2.1.jarcpe:2.3:a:elastic:elasticsearch:5.2.1:*:*:*:*:*:*:*
cpe:2.3:a:elasticsearch:elasticsearch:5.2.1:*:*:*:*:*:*:*
pkg:maven/org.codelibs.elasticsearch.module/lang-mustache@5.2.1
pkg:maven/org.elasticsearch.plugin/lang-mustache-client@5.2.1
HIGH3Highest49
libphonenumber-6.0.jarpkg:maven/com.googlecode.libphonenumber/libphonenumber@6.0MEDIUM119
log4j-api-2.8.1.jarcpe:2.3:a:apache:log4j:2.8.1:*:*:*:*:*:*:*pkg:maven/org.apache.logging.log4j/log4j-api@2.8.1CRITICAL2Highest41
log4j-over-slf4j-1.7.24.jarpkg:maven/org.slf4j/log4j-over-slf4j@1.7.24 026
logback-core-1.1.11.jarcpe:2.3:a:logback:logback:1.1.11:*:*:*:*:*:*:*pkg:maven/ch.qos.logback/logback-core@1.1.11 0Highest32
logstash-gelf-1.13.0.jarpkg:maven/biz.paluch.logging/logstash-gelf@1.13.0 026
logstash-logback-encoder-4.7.jarcpe:2.3:a:logback:logback:4.7:*:*:*:*:*:*:*pkg:maven/net.logstash.logback/logstash-logback-encoder@4.7 0Highest23
logstash-logback-encoder-4.7.jar (shaded: commons-lang:commons-lang:2.6)pkg:maven/commons-lang/commons-lang@2.6 014
lombok-1.16.14.jarpkg:maven/org.projectlombok/lombok@1.16.14 019
lombok-1.16.14.jar: WindowsDriveInfo-i386.dll 04
lombok-1.16.14.jar: WindowsDriveInfo-x86_64.dll 02
lucene-core-6.4.1.jarcpe:2.3:a:apache:lucene:6.4.1:*:*:*:*:*:*:*pkg:maven/org.apache.lucene/lucene-core@6.4.1 0Highest31
mail-1.4.7.jarpkg:maven/javax.mail/mail@1.4.7 043
mailapi-1.4.3.jarpkg:maven/javax.mail/mailapi@1.4.3 041
mapstruct-1.0.0.Final.jarpkg:maven/org.mapstruct/mapstruct@1.0.0.Final 016
markup-document-builder-0.1.5.jarpkg:maven/io.github.robwin/markup-document-builder@0.1.5 029
maven-artifact-2.2.1.jarpkg:maven/org.apache.maven/maven-artifact@2.2.1 026
maven-artifact-manager-2.2.1.jarpkg:maven/org.apache.maven/maven-artifact-manager@2.2.1 028
maven-model-2.2.1.jarpkg:maven/org.apache.maven/maven-model@2.2.1 026
maven-plugin-api-2.2.1.jarpkg:maven/org.apache.maven/maven-plugin-api@2.2.1 026
maven-plugin-registry-2.2.1.jarpkg:maven/org.apache.maven/maven-plugin-registry@2.2.1 028
maven-profile-2.2.1.jarpkg:maven/org.apache.maven/maven-profile@2.2.1 026
maven-project-2.2.1.jarpkg:maven/org.apache.maven/maven-project@2.2.1 026
maven-reporting-api-2.2.1.jarpkg:maven/org.apache.maven.reporting/maven-reporting-api@2.2.1 026
maven-reporting-impl-2.1.jarpkg:maven/org.apache.maven.reporting/maven-reporting-impl@2.1 027
maven-repository-metadata-2.2.1.jarpkg:maven/org.apache.maven/maven-repository-metadata@2.2.1 026
maven-settings-2.2.1.jarpkg:maven/org.apache.maven/maven-settings@2.2.1 026
maven-shared-io-1.1.jarpkg:maven/org.apache.maven.shared/maven-shared-io@1.1 029
mockito-core-1.10.19.jarpkg:maven/org.mockito/mockito-core@1.10.19 025
msg-simple-1.1.jarpkg:maven/com.github.fge/msg-simple@1.1 028
mybatis-3.4.0.jarcpe:2.3:a:mybatis:mybatis:3.4.0:*:*:*:*:*:*:*pkg:maven/org.mybatis/mybatis@3.4.0HIGH1Highest47
mybatis-3.4.0.jar (shaded: ognl:ognl:3.1.2)cpe:2.3:a:ognl_project:ognl:3.1.2:*:*:*:*:*:*:*pkg:maven/ognl/ognl@3.1.2 0Highest13
mybatis-3.4.0.jar (shaded: org.javassist:javassist:3.20.0-GA)pkg:maven/org.javassist/javassist@3.20.0-GA 011
mybatis-spring-1.3.0.jarcpe:2.3:a:mybatis:mybatis:1.3.0:*:*:*:*:*:*:*pkg:maven/org.mybatis/mybatis-spring@1.3.0HIGH1Highest39
mybatis-spring-boot-starter-1.1.1.jarcpe:2.3:a:mybatis:mybatis:1.1.1:*:*:*:*:*:*:*pkg:maven/org.mybatis.spring.boot/mybatis-spring-boot-starter@1.1.1HIGH1Highest30
mybatis-typehandlers-jsr310-1.0.1.jarcpe:2.3:a:mybatis:mybatis:1.0.1:*:*:*:*:*:*:*pkg:maven/org.mybatis/mybatis-typehandlers-jsr310@1.0.1HIGH1Highest37
mysql-connector-java-5.1.41.jarcpe:2.3:a:mysql:mysql:5.1.41:*:*:*:*:*:*:*
cpe:2.3:a:oracle:connector\/j:5.1.41:*:*:*:*:*:*:*
cpe:2.3:a:oracle:mysql_connector\/j:5.1.41:*:*:*:*:*:*:*
pkg:maven/mysql/mysql-connector-java@5.1.41HIGH7Highest43
nacos-api-1.2.0.jarcpe:2.3:a:alibaba:alibaba:1.2.0:*:*:*:*:*:*:*
cpe:2.3:a:alibaba:nacos:1.2.0:*:*:*:*:*:*:*
pkg:maven/com.alibaba.nacos/nacos-api@1.2.0 0Highest27
nacos-spring-boot-base-0.1.7.jarcpe:2.3:a:alibaba:alibaba:0.1.7:*:*:*:*:*:*:*
cpe:2.3:a:alibaba:nacos:0.1.7:*:*:*:*:*:*:*
pkg:maven/com.alibaba.boot/nacos-spring-boot-base@0.1.7 0Highest28
nacos-spring-context-0.3.6.jarcpe:2.3:a:alibaba:alibaba:0.3.6:*:*:*:*:*:*:*
cpe:2.3:a:alibaba:nacos:0.3.6:*:*:*:*:*:*:*
pkg:maven/com.alibaba.nacos/nacos-spring-context@0.3.6 0Highest27
netflix-commons-util-0.1.1.jarpkg:maven/com.netflix.netflix-commons/netflix-commons-util@0.1.1 018
netty-3.10.6.Final.jarcpe:2.3:a:netty:netty:3.10.6:*:*:*:*:*:*:*pkg:maven/io.netty/netty@3.10.6.FinalCRITICAL3Highest30
netty-common-4.1.7.Final.jar (shaded: org.jctools:jctools-core:1.2.1)pkg:maven/org.jctools/jctools-core@1.2.1 09
netty-transport-4.1.7.Final.jarcpe:2.3:a:netty:netty:4.1.7:*:*:*:*:*:*:*pkg:maven/io.netty/netty-transport@4.1.7.FinalCRITICAL4Highest29
objenesis-2.5.1.jarpkg:maven/org.objenesis/objenesis@2.5.1 038
org.apache.oltu.oauth2.common-1.0.2.jarpkg:maven/org.apache.oltu.oauth2/org.apache.oltu.oauth2.common@1.0.2 032
org.jacoco.agent-0.7.9-runtime.jarpkg:maven/org.jacoco/org.jacoco.agent@0.7.9 028
org.jacoco.agent-0.7.9-runtime.jar (shaded: org.jacoco:org.jacoco.agent.rt:0.7.9)pkg:maven/org.jacoco/org.jacoco.agent.rt@0.7.9 011
org.jacoco.core-0.7.9.jarpkg:maven/org.jacoco/org.jacoco.core@0.7.9 025
org.jacoco.report-0.7.9.jarpkg:maven/org.jacoco/org.jacoco.report@0.7.9 025
org.jacoco.report-0.7.9.jar: prettify.js 00
org.jacoco.report-0.7.9.jar: sort.js 00
oro-2.0.8.jarpkg:maven/oro/oro@2.0.8 022
pagehelper-4.1.6.jarcpe:2.3:a:mybatis:mybatis:4.1.6:*:*:*:*:*:*:*pkg:maven/com.github.pagehelper/pagehelper@4.1.6 0Low20
percolator-client-5.2.1.jarcpe:2.3:a:elastic:elasticsearch:5.2.1:*:*:*:*:*:*:*
cpe:2.3:a:elasticsearch:elasticsearch:5.2.1:*:*:*:*:*:*:*
pkg:maven/org.codelibs.elasticsearch.module/percolator@5.2.1
pkg:maven/org.elasticsearch.plugin/percolator-client@5.2.1
HIGH3Highest47
plexus-container-default-1.0-alpha-9-stable-1.jarpkg:maven/org.codehaus.plexus/plexus-container-default@1.0-alpha-9-stable-1 023
plexus-i18n-1.0-beta-7.jarpkg:maven/org.codehaus.plexus/plexus-i18n@1.0-beta-7 025
plexus-interpolation-1.11.jarpkg:maven/org.codehaus.plexus/plexus-interpolation@1.11 026
plexus-utils-3.0.22.jarcpe:2.3:a:plexus-utils_project:plexus-utils:3.0.22:*:*:*:*:*:*:*pkg:maven/org.codehaus.plexus/plexus-utils@3.0.22Unknown2Highest28
plexus-velocity-1.1.7.jarpkg:maven/org.codehaus.plexus/plexus-velocity@1.1.7 026
random-beans-3.5.0.jarpkg:maven/io.github.benas/random-beans@3.5.0 026
reindex-client-5.2.1.jarcpe:2.3:a:elastic:elasticsearch:5.2.1:*:*:*:*:*:*:*
cpe:2.3:a:elasticsearch:elasticsearch:5.2.1:*:*:*:*:*:*:*
pkg:maven/org.codelibs.elasticsearch.module/reindex@5.2.1
pkg:maven/org.elasticsearch.plugin/reindex-client@5.2.1
HIGH3Highest49
rest-5.2.1.jarcpe:2.3:a:elastic:elasticsearch:5.2.1:*:*:*:*:*:*:*
cpe:2.3:a:elasticsearch:elasticsearch:5.2.1:*:*:*:*:*:*:*
pkg:maven/org.elasticsearch.client/rest@5.2.1HIGH3Highest39
rhino-1.7R4.jarpkg:maven/org.mozilla/rhino@1.7R4 028
rxjava-1.2.0.jarpkg:maven/io.reactivex/rxjava@1.2.0 052
securesm-1.1.jarpkg:maven/org.elasticsearch/securesm@1.1 015
servo-core-0.7.2.jarpkg:maven/com.netflix.servo/servo-core@0.7.2 018
shiro-core-1.6.0.jarcpe:2.3:a:apache:shiro:1.6.0:*:*:*:*:*:*:*pkg:maven/org.apache.shiro/shiro-core@1.6.0 0Highest35
simpleclient-0.5.0.jarcpe:2.3:a:prometheus:prometheus:0.5.0:*:*:*:*:*:*:*pkg:maven/io.prometheus/simpleclient@0.5.0 0Highest20
slf4j-api-1.7.24.jarpkg:maven/org.slf4j/slf4j-api@1.7.24 026
slf4j-ext-1.6.3.jarcpe:2.3:a:slf4j:slf4j-ext:1.6.3:*:*:*:*:*:*:*pkg:maven/org.slf4j/slf4j-ext@1.6.3CRITICAL1Highest28
snakeyaml-1.17.jarcpe:2.3:a:snakeyaml_project:snakeyaml:1.17:*:*:*:*:*:*:*pkg:maven/org.yaml/snakeyaml@1.17HIGH1Highest27
spring-aspects-4.3.7.RELEASE.jarcpe:2.3:a:pivotal_software:spring_framework:4.3.7:release:*:*:*:*:*:*
cpe:2.3:a:springsource:spring_framework:4.3.7:release:*:*:*:*:*:*
cpe:2.3:a:vmware:springsource_spring_framework:4.3.7:release:*:*:*:*:*:*
pkg:maven/org.springframework/spring-aspects@4.3.7.RELEASECRITICAL10Highest27
spring-auto-restdocs-core-1.0.7.jarpkg:maven/capital.scalable/spring-auto-restdocs-core@1.0.7 023
spring-batch-core-3.0.7.RELEASE.jarcpe:2.3:a:pivotal_software:spring_batch:3.0.7:release:*:*:*:*:*:*pkg:maven/org.springframework.batch/spring-batch-core@3.0.7.RELEASECRITICAL1Highest28
spring-boot-1.5.2.RELEASE.jarcpe:2.3:a:pivotal_software:spring_boot:1.5.2:release:*:*:*:*:*:*pkg:maven/org.springframework.boot/spring-boot@1.5.2.RELEASECRITICAL2High30
spring-boot-admin-server-1.5.0.jarcpe:2.3:a:pivotal_software:spring_boot:1.5.0:*:*:*:*:*:*:*
cpe:2.3:a:pivotal_software:spring_framework:1.5.0:*:*:*:*:*:*:*
pkg:maven/de.codecentric/spring-boot-admin-server@1.5.0CRITICAL7Highest25
spring-boot-admin-server-ui-1.5.0.jar: core.js 00
spring-boot-admin-server-ui-1.5.0.jar: dependencies.jspkg:javascript/angularjs@1.5.8
pkg:javascript/jquery@3.1.1
medium96
spring-boot-admin-server-ui-1.5.0.jar: module.js 00
spring-boot-admin-server-ui-1.5.0.jar: module.js 00
spring-boot-admin-server-ui-1.5.0.jar: module.js 00
spring-boot-admin-server-ui-1.5.0.jar: module.js 00
spring-boot-admin-server-ui-1.5.0.jar: module.js 00
spring-boot-admin-server-ui-1.5.0.jar: module.js 00
spring-boot-admin-server-ui-1.5.0.jar: module.js 00
spring-boot-admin-server-ui-1.5.0.jar: module.js 00
spring-boot-admin-server-ui-1.5.0.jar: module.js 00
spring-boot-admin-server-ui-1.5.0.jar: module.js 00
spring-boot-admin-server-ui-1.5.0.jar: module.js 00
spring-boot-admin-server-ui-1.5.0.jar: module.js 00
spring-boot-admin-server-ui-1.5.0.jar: module.js 00
spring-boot-admin-server-ui-1.5.0.jar: module.js 00
spring-boot-admin-server-ui-1.5.0.jar: module.js 00
spring-boot-starter-batch-1.5.2.RELEASE.jarcpe:2.3:a:pivotal_software:spring_batch:1.5.2:release:*:*:*:*:*:*
cpe:2.3:a:pivotal_software:spring_boot:1.5.2:release:*:*:*:*:*:*
pkg:maven/org.springframework.boot/spring-boot-starter-batch@1.5.2.RELEASECRITICAL3High26
spring-boot-starter-data-redis-1.5.2.RELEASE.jarcpe:2.3:a:pivotal_software:spring_boot:1.5.2:release:*:*:*:*:*:*pkg:maven/org.springframework.boot/spring-boot-starter-data-redis@1.5.2.RELEASECRITICAL2High26
spring-cloud-commons-1.2.0.RELEASE.jarpkg:maven/org.springframework.cloud/spring-cloud-commons@1.2.0.RELEASE 025
spring-cloud-context-1.2.0.RELEASE.jarpkg:maven/org.springframework.cloud/spring-cloud-context@1.2.0.RELEASE 025
spring-cloud-netflix-core-1.3.0.RELEASE.jarpkg:maven/org.springframework.cloud/spring-cloud-netflix-core@1.3.0.RELEASE 025
spring-context-support-1.0.5.jarcpe:2.3:a:alibaba:alibaba:1.0.5:*:*:*:*:*:*:*pkg:maven/com.alibaba.spring/spring-context-support@1.0.5 0Highest17
spring-core-4.3.7.RELEASE.jarcpe:2.3:a:pivotal_software:spring_framework:4.3.7:release:*:*:*:*:*:*
cpe:2.3:a:springsource:spring_framework:4.3.7:release:*:*:*:*:*:*
cpe:2.3:a:vmware:springsource_spring_framework:4.3.7:release:*:*:*:*:*:*
pkg:maven/org.springframework/spring-core@4.3.7.RELEASECRITICAL10Highest28
spring-data-commons-1.13.1.RELEASE.jarpkg:maven/org.springframework.data/spring-data-commons@1.13.1.RELEASECRITICAL326
spring-data-keyvalue-1.2.1.RELEASE.jarpkg:maven/org.springframework.data/spring-data-keyvalue@1.2.1.RELEASE 026
spring-data-redis-1.8.1.RELEASE.jarpkg:maven/org.springframework.data/spring-data-redis@1.8.1.RELEASE 026
spring-oxm-4.3.7.RELEASE.jarcpe:2.3:a:pivotal_software:spring_framework:4.3.7:release:*:*:*:*:*:*
cpe:2.3:a:springsource:spring_framework:4.3.7:release:*:*:*:*:*:*
cpe:2.3:a:vmware:springsource_spring_framework:4.3.7:release:*:*:*:*:*:*
pkg:maven/org.springframework/spring-oxm@4.3.7.RELEASECRITICAL10Highest28
spring-plugin-core-1.2.0.RELEASE.jarpkg:maven/org.springframework.plugin/spring-plugin-core@1.2.0.RELEASE 025
spring-plugin-metadata-1.2.0.RELEASE.jarpkg:maven/org.springframework.plugin/spring-plugin-metadata@1.2.0.RELEASE 025
spring-restdocs-core-1.1.2.RELEASE.jarpkg:maven/org.springframework.restdocs/spring-restdocs-core@1.1.2.RELEASE 021
spring-restdocs-mockmvc-1.1.2.RELEASE.jarpkg:maven/org.springframework.restdocs/spring-restdocs-mockmvc@1.1.2.RELEASE 023
spring-retry-1.2.0.RELEASE.jarpkg:maven/org.springframework.retry/spring-retry@1.2.0.RELEASE 026
spring-security-crypto-4.2.2.RELEASE.jarcpe:2.3:a:pivotal_software:spring_security:4.2.2:release:*:*:*:*:*:*pkg:maven/org.springframework.security/spring-security-crypto@4.2.2.RELEASEHIGH6Highest38
springfox-bean-validators-2.5.0.jarpkg:maven/io.springfox/springfox-bean-validators@2.5.0 032
springfox-core-2.5.0.jarpkg:maven/io.springfox/springfox-core@2.5.0 027
springfox-schema-2.5.0.jarpkg:maven/io.springfox/springfox-schema@2.5.0 031
springfox-spi-2.5.0.jarpkg:maven/io.springfox/springfox-spi@2.5.0 031
springfox-spring-web-2.5.0.jarpkg:maven/io.springfox/springfox-spring-web@2.5.0 031
springfox-staticdocs-2.5.0.jarpkg:maven/io.springfox/springfox-staticdocs@2.5.0 030
springfox-swagger-common-2.5.0.jarpkg:maven/io.springfox/springfox-swagger-common@2.5.0 031
springfox-swagger-ui-2.5.0.jarpkg:maven/io.springfox/springfox-swagger-ui@2.5.0 023
springfox-swagger-ui-2.5.0.jar: backbone-min.js 00
springfox-swagger-ui-2.5.0.jar: en.js 00
springfox-swagger-ui-2.5.0.jar: es.js 00
springfox-swagger-ui-2.5.0.jar: fr.js 00
springfox-swagger-ui-2.5.0.jar: handlebars-2.0.0.jspkg:javascript/handlebars@2.0.0medium33
springfox-swagger-ui-2.5.0.jar: highlight.7.3.pack.js 00
springfox-swagger-ui-2.5.0.jar: it.js 00
springfox-swagger-ui-2.5.0.jar: ja.js 00
springfox-swagger-ui-2.5.0.jar: jquery-1.8.0.min.jspkg:javascript/jquery@1.8.0.minMEDIUM53
springfox-swagger-ui-2.5.0.jar: jquery.ba-bbq.min.js 00
springfox-swagger-ui-2.5.0.jar: jquery.slideto.min.js 00
springfox-swagger-ui-2.5.0.jar: jquery.wiggle.min.js 00
springfox-swagger-ui-2.5.0.jar: jsoneditor.min.js 00
springfox-swagger-ui-2.5.0.jar: marked.js 00
springfox-swagger-ui-2.5.0.jar: pl.js 00
springfox-swagger-ui-2.5.0.jar: pt.js 00
springfox-swagger-ui-2.5.0.jar: ru.js 00
springfox-swagger-ui-2.5.0.jar: springfox.js 00
springfox-swagger-ui-2.5.0.jar: swagger-oauth.js 00
springfox-swagger-ui-2.5.0.jar: swagger-ui.min.js 00
springfox-swagger-ui-2.5.0.jar: tr.js 00
springfox-swagger-ui-2.5.0.jar: translator.js 00
springfox-swagger-ui-2.5.0.jar: underscore-min.js 00
springfox-swagger-ui-2.5.0.jar: zh-cn.js 00
springfox-swagger2-2.5.0.jarpkg:maven/io.springfox/springfox-swagger2@2.5.0 031
swagger-annotations-1.5.9.jarpkg:maven/io.swagger/swagger-annotations@1.5.9 028
swagger-core-1.5.4.jarpkg:maven/io.swagger/swagger-core@1.5.4 027
swagger-models-1.5.9.jarpkg:maven/io.swagger/swagger-models@1.5.9 027
swagger-parser-1.0.13.jarcpe:2.3:a:swagger:swagger-parser:1.0.13:*:*:*:*:*:*:*pkg:maven/io.swagger/swagger-parser@1.0.13HIGH2Highest23
swagger2markup-0.9.2.jarpkg:maven/io.github.robwin/swagger2markup@0.9.2 029
t-digest-3.0.jarpkg:maven/com.tdunning/t-digest@3.0 019
tomcat-embed-core-8.5.11.jarcpe:2.3:a:apache:tomcat:8.5.11:*:*:*:*:*:*:*
cpe:2.3:a:apache_software_foundation:tomcat:8.5.11:*:*:*:*:*:*:*
cpe:2.3:a:apache_tomcat:apache_tomcat:8.5.11:*:*:*:*:*:*:*
pkg:maven/org.apache.tomcat.embed/tomcat-embed-core@8.5.11CRITICAL29Highest22
tomcat-embed-el-8.5.11.jarpkg:maven/org.apache.tomcat.embed/tomcat-embed-el@8.5.11 023
tomcat-juli-8.5.11.jarcpe:2.3:a:apache_software_foundation:tomcat:8.5.11:*:*:*:*:*:*:*pkg:maven/org.apache.tomcat/tomcat-juli@8.5.11 0Highest23
tools-1.8.0.jar 08
tools-1.8.0.jar: hat.js 00
tools-1.8.0.jar: init.js 00
tools-1.8.0.jar: script.js 00
transport-5.2.1.jarcpe:2.3:a:elastic:elasticsearch:5.2.1:*:*:*:*:*:*:*
cpe:2.3:a:elasticsearch:elasticsearch:5.2.1:*:*:*:*:*:*:*
pkg:maven/org.elasticsearch.client/transport@5.2.1HIGH3Highest43
uri-template-0.9.jarpkg:maven/com.github.fge/uri-template@0.9 028
validation-api-1.1.0.Final.jarpkg:maven/javax.validation/validation-api@1.1.0.Final 019
velocity-1.5.jarpkg:maven/org.apache.velocity/velocity@1.5
pkg:maven/velocity/velocity@1.5
 040
wagon-provider-api-1.0-beta-6.jarcpe:2.3:a:apache:maven_wagon:1.0.eta-6:*:*:*:*:*:*:*pkg:maven/org.apache.maven.wagon/wagon-provider-api@1.0-beta-6 0Highest25
xercesImpl-2.8.1.jarcpe:2.3:a:apache:xerces2_java:2.8.1:*:*:*:*:*:*:*pkg:maven/xerces/xercesImpl@2.8.1Unknown2Low66
xml-apis-1.4.01.jarpkg:maven/xml-apis/xml-apis@1.4.01 075
xmlpull-1.1.3.1.jarpkg:maven/xmlpull/xmlpull@1.1.3.1 018
xpp3_min-1.1.4c.jarpkg:maven/xpp3/xpp3_min@1.1.4c 022
xstream-1.4.7.jarcpe:2.3:a:xstream_project:xstream:1.4.7:*:*:*:*:*:*:*pkg:maven/com.thoughtworks.xstream/xstream@1.4.7HIGH2Highest43
zuul-core-1.3.0.jarpkg:maven/com.netflix.zuul/zuul-core@1.3.0 046

Dependencies

HdrHistogram-2.1.6.jar

Description:

        HdrHistogram supports the recording and analyzing sampled data value
        counts across a configurable integer value range with configurable value
        precision within the range. Value precision is expressed as the number of
        significant digits in the value recording, and provides control over value
        quantization behavior across the value range and the subsequent value
        resolution at any given level.
    

License:

Public Domain, per Creative Commons CC0: http://creativecommons.org/publicdomain/zero/1.0/
File Path: /mnt/sonarshell/projects/udesk-fever-framework_0.0.3/fever-search/target/dependency/HdrHistogram-2.1.6.jar
MD5: 565bf21a1fec0dc39e8b9d5eb0642344
SHA1: 7495feb7f71ee124bd2a7e7d83590e296d71d80e
SHA256:1d44b3a32d268aa453ee7a9bb89650dfccb159a3160df49d92f299f2b72e9988

Identifiers

HdrHistogram-2.1.9.jar

Description:

        HdrHistogram supports the recording and analyzing sampled data value
        counts across a configurable integer value range with configurable value
        precision within the range. Value precision is expressed as the number of
        significant digits in the value recording, and provides control over value
        quantization behavior across the value range and the subsequent value
        resolution at any given level.
    

License:

Public Domain, per Creative Commons CC0: http://creativecommons.org/publicdomain/zero/1.0/
File Path: /mnt/sonarshell/projects/udesk-fever-framework_0.0.3/fever-metrics/target/dependency/HdrHistogram-2.1.9.jar
MD5: ee302e5e7489719991aa0ca2dd67febd
SHA1: e4631ce165eb400edecfa32e03d3f1be53dee754
SHA256:95d40913be28dfd439cefea9170c40898ea84f11f25e6ff8de50339b8a7b5e3e

Identifiers

accessors-smart-1.1.jar

Description:

Java reflect give poor performance on getter setter an constructor calls,
accessors-smart use ASM to speed up those calls.

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /mnt/sonarshell/projects/udesk-fever-framework_0.0.3/fever-search/target/dependency/accessors-smart-1.1.jar
MD5: b75cda0d7dadff9e6c20f4e7f3c3bc82
SHA1: a527213f2fea112a04c9bdf0ec0264e34104cd08
SHA256:e6e04753913546da3ff0fbf532ac2831d0266f69246b1e6e295ba367aa9f02a5

Identifiers

activation-1.1.jar

Description:

    JavaBeans Activation Framework (JAF) is a standard extension to the Java platform that lets you take advantage of standard services to: determine the type of an arbitrary piece of data; encapsulate access to it; discover the operations available on it; and instantiate the appropriate bean to perform the operation(s).
  

License:

Common Development and Distribution License (CDDL) v1.0: https://glassfish.dev.java.net/public/CDDLv1.0.html
File Path: /mnt/sonarshell/projects/udesk-fever-framework_0.0.3/fever-web/target/dependency/activation-1.1.jar
MD5: 8ae38e87cd4f86059c0294a8fe3e0b18
SHA1: e6cb541461c2834bdea3eb920f1884d1eb508b50
SHA256:2881c79c9d6ef01c58e62beea13e9d1ac8b8baa16f2fc198ad6e6776defdcdd3

Identifiers

aliyun-sdk-oss-2.5.0.jar

Description:

The Aliyun OSS SDK for Java used for accessing Aliyun Object Storage Service

License:

: 
File Path: /mnt/sonarshell/projects/udesk-fever-framework_0.0.3/fever-upload/target/dependency/aliyun-sdk-oss-2.5.0.jar
MD5: 59f4f207d393f0440757235c8107deca
SHA1: 917f16c768386d88a1fce029b7751c802bb49245
SHA256:1d0f293bc07221418e074e6217de8cb6e9fb67c441ee13d981ee98b6f44744b3

Identifiers

android-json-0.0.20131108.vaadin1.jar

Description:

      JSON (JavaScript Object Notation) is a lightweight data-interchange format.
      This is the org.json compatible Android implementation extracted from the Android SDK
    

License:

Apache License 2.0: http://www.apache.org/licenses/LICENSE-2.0
File Path: /mnt/sonarshell/projects/udesk-fever-framework_0.0.3/fever-sms-http/target/dependency/android-json-0.0.20131108.vaadin1.jar
MD5: 10612241a9cc269501a7a2b8a984b949
SHA1: fa26d351fe62a6a17f5cda1287c1c6110dec413f
SHA256:dfb7bae2f404cfe0b72b4d23944698cb716b7665171812a0a4d0f5926c0fac79

Identifiers

annotations-2.0.0.jar

Description:

Annotation supports the FindBugs tool

License:

GNU Lesser Public License: http://www.gnu.org/licenses/lgpl.html
File Path: /mnt/sonarshell/projects/udesk-fever-framework_0.0.3/fever-metrics/target/dependency/annotations-2.0.0.jar
MD5: 14a4ebc50afb20e9520fe502d231809d
SHA1: d8dff1d83a79f0c0609c360f02bcd2f2fc1f1369
SHA256:09b0ceef7b47b39c916ed4e0e6121ecdcdb4d2538f5a479fee387146f7bc67c1

Identifiers

archaius-core-0.6.0.jar

Description:

archaius-core developed by Netflix

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /mnt/sonarshell/projects/udesk-fever-framework_0.0.3/fever-metrics/target/dependency/archaius-core-0.6.0.jar
MD5: 68406596c9e0e246e5454dab85186352
SHA1: 1ecb29ef5d4c0c98cae35d1038fd980688eab5f9
SHA256:6e262737ee105ab704a3c66df790627ba698add65f5b18ce64b7569caadeaaad

Identifiers

asm-5.0.3.jar

File Path: /mnt/sonarshell/projects/udesk-fever-framework_0.0.3/fever-migration/target/dependency/asm-5.0.3.jar
MD5: ccebee99fb8cdd50e1967680a2eac0ba
SHA1: dcc2193db20e19e1feca8b1240dbbc4e190824fa
SHA256:71c4f78e437b8fdcd9cc0dfd2abea8c089eb677005a6a5cff320206cc52b46cc

Identifiers

asm-debug-all-5.2.jar

File Path: /mnt/sonarshell/projects/udesk-fever-framework_0.0.3/fever-shiro-redis/target/dependency/asm-debug-all-5.2.jar
MD5: fe5f20404ccdee9769ef05dc4b47ba98
SHA1: 3354e11e2b34215f06dab629ab88e06aca477c19
SHA256:254b82bec9da4f8efbc8b1f93ab2b87f7465227a82b36cf3d05d9e77a0e8dd2e

Identifiers

aspectjweaver-1.8.9.jar

Description:

The AspectJ weaver introduces advices to java classes

License:

Eclipse Public License - v 1.0: http://www.eclipse.org/legal/epl-v10.html
File Path: /mnt/sonarshell/projects/udesk-fever-framework_0.0.3/fever-sms-http/target/dependency/aspectjweaver-1.8.9.jar
MD5: 304a51bce49f52a26bb79f3fd0b58325
SHA1: db28774f477f07220eac18d5ec9c4e01f48589d7
SHA256:5e41d39eca300e2d8e6067f5660d70dcc66ec2da9cbd46a3d5985e609d1e6ecf

Identifiers

assertj-core-2.6.0.jar

Description:

Rich and fluent assertions for testing

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /mnt/sonarshell/projects/udesk-fever-framework_0.0.3/fever-search/target/dependency/assertj-core-2.6.0.jar
MD5: 1c7a969eeb11e3dd854a6a5f417f5cf2
SHA1: b532c3fc4f66bcfee4989a3514f1cd56203a33ad
SHA256:d20c78593c85bd6efe7af2de8ea0b7f2e0288ca6076b52e584bad52188ec7c7b

Identifiers

assertj-core-2.6.0.jar (shaded: cglib:cglib-nodep:3.2.4)

File Path: /mnt/sonarshell/projects/udesk-fever-framework_0.0.3/fever-search/target/dependency/assertj-core-2.6.0.jar/META-INF/maven/cglib/cglib-nodep/pom.xml
MD5: 425b3e01685d013cbc5b431afc582104
SHA1: 3d0aad1cd07c4754588acbdb8561e367e457cc1d
SHA256:deae8511bfabe5cd0799c516446bc3a588f8ca82309df2cf55d01a0d75626102

Identifiers

assertj-core-2.6.0.jar (shaded: cglib:cglib:3.2.4)

File Path: /mnt/sonarshell/projects/udesk-fever-framework_0.0.3/fever-search/target/dependency/assertj-core-2.6.0.jar/META-INF/maven/cglib/cglib/pom.xml
MD5: 072045d2914c647e8e37e8c4b387aaf0
SHA1: 23e1de8e375b571cb6c40ef93f04578abc23dfcb
SHA256:6e31974a4cfc4e465d4133628f7fdd2ab69fbdb20d1dec27bfc24abd1078f741

Identifiers

aws-java-sdk-core-1.11.22.jar

Description:

The AWS SDK for Java - Core module holds the classes that is used by the individual service clients to interact with Amazon Web Services. Users need to depend on aws-java-sdk artifact for accessing individual client classes.

File Path: /mnt/sonarshell/projects/udesk-fever-framework_0.0.3/fever-upload/target/dependency/aws-java-sdk-core-1.11.22.jar
MD5: 89376ff44e3ba7cde45bb9b252e17797
SHA1: 019b10c31a696728b449cfc66637b703370ddeff
SHA256:e1cf8cf815ca584d590f5eff5645c01b1469b41bf9debd22757fb9341e2b6412

Identifiers

aws-java-sdk-kms-1.11.22.jar

Description:

The AWS Java SDK for AWS KMS module holds the client classes that are used for communicating with AWS Key Management Service

File Path: /mnt/sonarshell/projects/udesk-fever-framework_0.0.3/fever-upload/target/dependency/aws-java-sdk-kms-1.11.22.jar
MD5: 6b1b3b263e91d577c28fd93d590f0b54
SHA1: f87e740fc468306ecd7dd73fdc386472fe6763d5
SHA256:08a29996c27e249269674ba16e333c202f899fff3aae640e574fab86bf4ef736

Identifiers

aws-java-sdk-s3-1.11.22.jar

Description:

The AWS Java SDK for Amazon S3 module holds the client classes that are used for communicating with Amazon Simple Storage Service

File Path: /mnt/sonarshell/projects/udesk-fever-framework_0.0.3/fever-upload/target/dependency/aws-java-sdk-s3-1.11.22.jar
MD5: 7c5bc60a2383f0b0fe48af0ab962b09a
SHA1: 6bdd5b519df9f7d6106d1368d8c76bc724cd2703
SHA256:3d602d5ade35d967caf8cb5ac04d469b9b347602ccb8004ce3a04a5de4615bbe

Identifiers

aws-java-sdk-sts-1.11.22.jar

Description:

The AWS Java SDK for AWS STS module holds the client classes that are used for communicating with AWS Security Token Service

File Path: /mnt/sonarshell/projects/udesk-fever-framework_0.0.3/fever-upload/target/dependency/aws-java-sdk-sts-1.11.22.jar
MD5: 66dd519c1963169fa01852d724bc4fe8
SHA1: f849f3f89163708ba89353a31498503825ad1335
SHA256:d54169233622e41f0e942107edae3e08da8ed52293db622d2a45107f376f6a06

Identifiers

backport-util-concurrent-3.1.jar

Description:

Dawid Kurzyniec's backport of JSR 166

License:

Public Domain: http://creativecommons.org/licenses/publicdomain
File Path: /mnt/sonarshell/projects/udesk-fever-framework_0.0.3/fever-shiro-redis/target/dependency/backport-util-concurrent-3.1.jar
MD5: 748bb0cbf4780b2e3121dc9c12e10cd9
SHA1: 682f7ac17fed79e92f8e87d8455192b63376347b
SHA256:f5759b7fcdfc83a525a036deedcbd32e5b536b625ebc282426f16ca137eb5902

Identifiers

btf-1.2.jar

Description:

null

License:

Lesser General Public License, version 3 or greater: http://www.gnu.org/licenses/lgpl.html
Apache Software License, version 2.0: http://www.apache.org/licenses/LICENSE-2.0
File Path: /mnt/sonarshell/projects/udesk-fever-framework_0.0.3/fever-web/target/dependency/btf-1.2.jar
MD5: 5c91cd1157e0bb99e77a33b6f42a457c
SHA1: 9e66651022eb86301b348d57e6f59459effc343b
SHA256:38a380577a186718cb97ee8af58d4f40f7fbfdc23ff68b5f4b3c2c68a1d5c05d

Identifiers

cal10n-api-0.7.4.jar

File Path: /mnt/sonarshell/projects/udesk-fever-framework_0.0.3/fever-web/target/dependency/cal10n-api-0.7.4.jar
MD5: 80109109356c7bfbe6ca29c70d0655fc
SHA1: 132b7e1702af0335cf4259d30aaf959264db688f
SHA256:7c6f270575a0cd69306dd6189f6ff29230fbd829f43306e5a7ae234eb6b25553

Identifiers

classmate-1.3.3.jar

Description:

Library for introspecting types with full generic information
        including resolving of field and method types.
    

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /mnt/sonarshell/projects/udesk-fever-framework_0.0.3/fever-common/target/dependency/classmate-1.3.3.jar
MD5: 85986d1c6a2a58901ab1ca64ff4d8a50
SHA1: 864c8e370a691e343210cc7c532fc198cee460d8
SHA256:607852e0e8d608183b6dba8e6064726ff4c7895e128196885fb5a2df481df344

Identifiers

classworlds-1.1-alpha-2.jar

File Path: /mnt/sonarshell/projects/udesk-fever-framework_0.0.3/fever-common/target/dependency/classworlds-1.1-alpha-2.jar
MD5: 82cacb7d9724c4a4e4d20f004884d4da
SHA1: 05adf2e681c57d7f48038b602f3ca2254ee82d47
SHA256:2bf4e59f3acd106fea6145a9a88fe8956509f8b9c0fdd11eb96fee757269e3f3

Identifiers

com.ibm.jbatch-tck-spi-1.0.jar

File Path: /mnt/sonarshell/projects/udesk-fever-framework_0.0.3/fever-batch/target/dependency/com.ibm.jbatch-tck-spi-1.0.jar
MD5: f476e385f602ee1e17a1d8306cce3c67
SHA1: 8ac869b0a60bff1a15eba0fb6398942410396938
SHA256:8b1130444dc617596509ff4a8e9e99bd1d08a36569a60974968131edf8887d84

Identifiers

commons-beanutils-1.9.3.jar

Description:

Apache Commons BeanUtils provides an easy-to-use but flexible wrapper around reflection and introspection.

License:

https://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /mnt/sonarshell/projects/udesk-fever-framework_0.0.3/fever-shiro-redis/target/dependency/commons-beanutils-1.9.3.jar
MD5: 4a105c9d029a7edc6f2b16567d37eab6
SHA1: c845703de334ddc6b4b3cd26835458cb1cba1f3d
SHA256:c058e39c7c64203d3a448f3adb588cb03d6378ed808485618f26e137f29dae73

Identifiers

CVE-2019-10086  

In Apache Commons Beanutils 1.9.2, a special BeanIntrospector class was added which allows suppressing the ability for an attacker to access the classloader via the class property available on all Java objects. We, however were not using this by default characteristic of the PropertyUtilsBean.
CWE-502 Deserialization of Untrusted Data

CVSSv2:
  • Base Score: HIGH (7.5)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSSv3:
  • Base Score: HIGH (7.3)
  • Vector: /AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

References:

Vulnerable Software & Versions:

commons-codec-1.10.jar

Description:

     The Apache Commons Codec package contains simple encoder and decoders for
     various formats such as Base64 and Hexadecimal.  In addition to these
     widely used encoders and decoders, the codec package also maintains a
     collection of phonetic encoding utilities.
  

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /mnt/sonarshell/projects/udesk-fever-framework_0.0.3/fever-sms-http/target/dependency/commons-codec-1.10.jar
MD5: 353cf6a2bdba09595ccfa073b78c7fcb
SHA1: 4b95f4897fa13f2cd904aee711aeafc0c5295cd8
SHA256:4241dfa94e711d435f29a4604a3e2de5c4aa3c165e23bd066be6fc1fc4309569

Identifiers

commons-collections-3.2.2.jar

Description:

Types that extend and augment the Java Collections Framework.

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /mnt/sonarshell/projects/udesk-fever-framework_0.0.3/fever-upload/target/dependency/commons-collections-3.2.2.jar
MD5: f54a8510f834a1a57166970bfc982e94
SHA1: 8ad72fe39fa8c91eaaf12aadb21e0c3661fe26d5
SHA256:eeeae917917144a68a741d4c0dff66aa5c5c5fd85593ff217bced3fc8ca783b8

Identifiers

commons-collections4-4.1.jar

Description:

The Apache Commons Collections package contains types that extend and augment the Java Collections Framework.

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /mnt/sonarshell/projects/udesk-fever-framework_0.0.3/fever-parent/target/dependency/commons-collections4-4.1.jar
MD5: 45af6a8e5b51d5945de6c7411e290bd1
SHA1: a4cf4688fe1c7e3a63aa636cc96d013af537768e
SHA256:b1fe8b5968b57d8465425357ed2d9dc695504518bed2df5b565c4b8e68c1c8a5

Identifiers

commons-configuration-1.8.jar

Description:

        Tools to assist in the reading of configuration/preferences files in
        various formats
    

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /mnt/sonarshell/projects/udesk-fever-framework_0.0.3/fever-metrics/target/dependency/commons-configuration-1.8.jar
MD5: a69448e8c1e24d989266083c301e354b
SHA1: 6cce40435bcd8018018f16898de01976b319941a
SHA256:e229cf1fe95f7147cbc1f8d31affc07087c206bc8dc7e5b05b6be670910f87ba

Identifiers

commons-digester-2.1.jar

Description:

    The Digester package lets you configure an XML to Java object mapping module
    which triggers certain actions called rules whenever a particular 
    pattern of nested XML elements is recognized.
  

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /mnt/sonarshell/projects/udesk-fever-framework_0.0.3/fever-batch/target/dependency/commons-digester-2.1.jar
MD5: 528445033f22da28f5047b6abcd1c7c9
SHA1: 73a8001e7a54a255eef0f03521ec1805dc738ca0
SHA256:e0b2b980a84fc6533c5ce291f1917b32c507f62bcad64198fff44368c2196a3d

Identifiers

commons-httpclient-3.1.jar

Description:

The HttpClient  component supports the client-side of RFC 1945 (HTTP/1.0)  and RFC 2616 (HTTP/1.1) , several related specifications (RFC 2109 (Cookies) , RFC 2617 (HTTP Authentication) , etc.), and provides a framework by which new request types (methods) or HTTP extensions can be created easily.

License:

Apache License: http://www.apache.org/licenses/LICENSE-2.0
File Path: /mnt/sonarshell/projects/udesk-fever-framework_0.0.3/fever-web/target/dependency/commons-httpclient-3.1.jar
MD5: 8ad8c9229ef2d59ab9f59f7050e846a5
SHA1: 964cd74171f427720480efdec40a7c7f6e58426a
SHA256:dbd4953d013e10e7c1cc3701a3e6ccd8c950c892f08d804fabfac21705930443

Identifiers

commons-io-2.4.jar

Description:

The Commons IO library contains utility classes, stream implementations, file filters, 
file comparators, endian transformation classes, and much more.
  

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /mnt/sonarshell/projects/udesk-fever-framework_0.0.3/fever-mail/target/dependency/commons-io-2.4.jar
MD5: 7f97854dc04c119d461fed14f5d8bb96
SHA1: b1b6ea3b7e4aa4f492509a4952029cd8e48019ad
SHA256:cc6a41dc3eaacc9e440a6bd0d2890b20d36b4ee408fe2d67122f328bb6e01581

Identifiers

commons-lang-2.4.jar

Description:

        Commons Lang, a package of Java utility classes for the
        classes that are in java.lang's hierarchy, or are considered to be so
        standard as to justify existence in java.lang.
    

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /mnt/sonarshell/projects/udesk-fever-framework_0.0.3/fever-common/target/dependency/commons-lang-2.4.jar
MD5: 237a8e845441bad2e535c57d985c8204
SHA1: 16313e02a793435009f1e458fa4af5d879f6fb11
SHA256:2c73b940c91250bc98346926270f13a6a10bb6e29d2c9316a70d134e382c873e

Identifiers

commons-lang-2.5.jar

Description:

        Commons Lang, a package of Java utility classes for the
        classes that are in java.lang's hierarchy, or are considered to be so
        standard as to justify existence in java.lang.
    

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /mnt/sonarshell/projects/udesk-fever-framework_0.0.3/fever-upload/target/dependency/commons-lang-2.5.jar
MD5: ab04c560caea60d3b0050beb57776a32
SHA1: b0236b252e86419eef20c31a44579d2aee2f0a69
SHA256:a64e0c73988fef8d5b73fc29d105a3a6e2dc5d9b90a94fca065cd2439dc56590

Identifiers

commons-lang3-3.4.jar

Description:

  Apache Commons Lang, a package of Java utility classes for the
  classes that are in java.lang's hierarchy, or are considered to be so
  standard as to justify existence in java.lang.
  

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /mnt/sonarshell/projects/udesk-fever-framework_0.0.3/fever-migration/target/dependency/commons-lang3-3.4.jar
MD5: 8667a442ee77e509fbe8176b94726eb2
SHA1: 5fe28b9518e58819180a43a850fbc0dd24b7c050
SHA256:734c8356420cc8e30c795d64fd1fcd5d44ea9d90342a2cc3262c5158fbc6d98b

Identifiers

commons-logging-1.0.4.jar

Description:

Commons Logging is a thin adapter allowing configurable bridging to other,
    well known logging systems.

License:

The Apache Software License, Version 2.0: /LICENSE.txt
File Path: /mnt/sonarshell/projects/udesk-fever-framework_0.0.3/fever-parent/target/dependency/commons-logging-1.0.4.jar
MD5: 8a507817b28077e0478add944c64586a
SHA1: f029a2aefe2b3e1517573c580f948caac31b1056
SHA256:e94af49749384c11f5aa50e8d0f5fe679be771295b52030338d32843c980351e

Identifiers

commons-logging-1.1.3.jar

Description:

Commons Logging is a thin adapter allowing configurable bridging to other,
    well known logging systems.

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /mnt/sonarshell/projects/udesk-fever-framework_0.0.3/fever-elasticsearch/target/dependency/commons-logging-1.1.3.jar
MD5: 92eb5aabc1b47287de53d45c086a435c
SHA1: f6f66e966c70a83ffbdb6f17a0919eaf7c8aca7f
SHA256:70903f6fc82e9908c8da9f20443f61d90f0870a312642991fe8462a0b9391784

Identifiers

commons-logging-1.2.jar

Description:

Apache Commons Logging is a thin adapter allowing configurable bridging to other,
    well known logging systems.

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /mnt/sonarshell/projects/udesk-fever-framework_0.0.3/fever-mail/target/dependency/commons-logging-1.2.jar
MD5: 040b4b4d8eac886f6b4a2a3bd2f31b00
SHA1: 4bfc12adfe4842bf07b657f0369c4cb522955686
SHA256:daddea1ea0be0f56978ab3006b8ac92834afeefbd9b7e4e6316fca57df0fa636

Identifiers

commons-pool2-2.4.2.jar

Description:

Apache Commons Object Pooling Library

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /mnt/sonarshell/projects/udesk-fever-framework_0.0.3/fever-shiro-redis/target/dependency/commons-pool2-2.4.2.jar
MD5: 62727a85e2e1bf6a756f5571d19cc71c
SHA1: e5f4f28f19d57716fbc3989d7a357ebf1e454fea
SHA256:21112aa673733dfcd045354ddf75b31e1d464b99c8e515974349b2532254cc53

Identifiers

commons-validator-1.2.0.jar

Description:

Commons Validator provides the building blocks for both client side validation
    and server side data validation. It may be used standalone or with a framework like
    Struts.

License:

The Apache Software License, Version 2.0: /LICENSE.txt
File Path: /mnt/sonarshell/projects/udesk-fever-framework_0.0.3/fever-shiro-redis/target/dependency/commons-validator-1.2.0.jar
MD5: 9fce68eba660211681217f0b119041c5
SHA1: 13dcebc00d206605bea72f6191b80370eb3ca805
SHA256:ad7565ec5ce34d53083777ad93d1ff08cdb37142f579f435131b1ab7f3796cdb

Identifiers

commons-validator-1.2.0.jar: validateByte.js

File Path: /mnt/sonarshell/projects/udesk-fever-framework_0.0.3/fever-shiro-redis/target/dependency/commons-validator-1.2.0.jar/org/apache/commons/validator/javascript/validateByte.js
MD5: 82bf8b56ce471f2e1a5394aaaf322423
SHA1: 3147005b9c5e5e47c014089a94d5d1f1f88e449b
SHA256:68edb86fb5bb9df9b7a5366c8bb14f42e5af78106cb63fb5b9b51418ac49f5f3

Identifiers

  • None

commons-validator-1.2.0.jar: validateCreditCard.js

File Path: /mnt/sonarshell/projects/udesk-fever-framework_0.0.3/fever-shiro-redis/target/dependency/commons-validator-1.2.0.jar/org/apache/commons/validator/javascript/validateCreditCard.js
MD5: d10932b82e8abf51bff2bc82ee7d6785
SHA1: 967b7cb3e6e97782ba6d8bea18c81200d2bffbb3
SHA256:8f786f25b37d76959d2ac9d03f2cf99184909699792a4ec8818eab9fefd72358

Identifiers

  • None

commons-validator-1.2.0.jar: validateDate.js

File Path: /mnt/sonarshell/projects/udesk-fever-framework_0.0.3/fever-shiro-redis/target/dependency/commons-validator-1.2.0.jar/org/apache/commons/validator/javascript/validateDate.js
MD5: 27c8fb966d7b111acca8dd543f0838ac
SHA1: 71afdff1e345feae7bba42ce392cf5af8c4c63df
SHA256:2c2a9840e478e7f954904a367ba4ebc5ee313392902b0150d4792bb4609b91a6

Identifiers

  • None

commons-validator-1.2.0.jar: validateEmail.js

File Path: /mnt/sonarshell/projects/udesk-fever-framework_0.0.3/fever-shiro-redis/target/dependency/commons-validator-1.2.0.jar/org/apache/commons/validator/javascript/validateEmail.js
MD5: 975d0a38368ac5aa56ad2ae9295e56d8
SHA1: 500d31025477d50aa708a0f02cb6778722a4d078
SHA256:6f35e0642b5ae2fa29309f87d84b070337081913f72ddb0ed14547198be70585

Identifiers

  • None

commons-validator-1.2.0.jar: validateFloat.js

File Path: /mnt/sonarshell/projects/udesk-fever-framework_0.0.3/fever-shiro-redis/target/dependency/commons-validator-1.2.0.jar/org/apache/commons/validator/javascript/validateFloat.js
MD5: f84186cfa81110a4f98fab13aca666c7
SHA1: 3989a1515b110e7d7191061cd51e086224abc88f
SHA256:1633df82297e00328ad1496f4f64d3452fa3facd9152618ca12c69627f5a4921

Identifiers

  • None

commons-validator-1.2.0.jar: validateFloatRange.js

File Path: /mnt/sonarshell/projects/udesk-fever-framework_0.0.3/fever-shiro-redis/target/dependency/commons-validator-1.2.0.jar/org/apache/commons/validator/javascript/validateFloatRange.js
MD5: 6f9f96c31ec9b4dc55cce8cb937742c0
SHA1: a68ec586d77b4caff3d0d84fbf0b6cb7f5ff5e2f
SHA256:32aedb81494126c81ff8e0ed4b4e37d15fd6c16e199596c56b7bb4e41c19ad4f

Identifiers

  • None

commons-validator-1.2.0.jar: validateIntRange.js

File Path: /mnt/sonarshell/projects/udesk-fever-framework_0.0.3/fever-shiro-redis/target/dependency/commons-validator-1.2.0.jar/org/apache/commons/validator/javascript/validateIntRange.js
MD5: 382520fe34cafbe13a7d7209b6e3db03
SHA1: 6a32004a88b7d03a91b6e5e0a97daae419f4b390
SHA256:e8fb86a1a06e9f4f5ce6d4cd8a7b95de3bbb3a614dce5ff9852573466dda2b83

Identifiers

  • None

commons-validator-1.2.0.jar: validateInteger.js

File Path: /mnt/sonarshell/projects/udesk-fever-framework_0.0.3/fever-shiro-redis/target/dependency/commons-validator-1.2.0.jar/org/apache/commons/validator/javascript/validateInteger.js
MD5: 94700a547d0ef8fbcfc271cd22146683
SHA1: 52ef7f47795d06ac65f762bf959288cd7f1920c7
SHA256:ca11cb500dc30f4f28fe49794aae534cca9e455049cfa928f31e2c5f7f11526e

Identifiers

  • None

commons-validator-1.2.0.jar: validateMask.js

File Path: /mnt/sonarshell/projects/udesk-fever-framework_0.0.3/fever-shiro-redis/target/dependency/commons-validator-1.2.0.jar/org/apache/commons/validator/javascript/validateMask.js
MD5: 5381744a9a9887d1aad62c0d257e568d
SHA1: e4eab30f4cdea752758a7e0799824287ec015d01
SHA256:da11bc4a6aeee4987a0667db97a8e89480e146e982bc529d80637f284a04d3b7

Identifiers

  • None

commons-validator-1.2.0.jar: validateMaxLength.js

File Path: /mnt/sonarshell/projects/udesk-fever-framework_0.0.3/fever-shiro-redis/target/dependency/commons-validator-1.2.0.jar/org/apache/commons/validator/javascript/validateMaxLength.js
MD5: e82d7a83da445d183b2e1dcc07e0f997
SHA1: ac5e8a12f849e9bc8199366bc56771386f8a5798
SHA256:e2e92c9afaf7f2a56109df14955ea11df8f54d3db58906befb924e055ddcc9d5

Identifiers

  • None

commons-validator-1.2.0.jar: validateMinLength.js

File Path: /mnt/sonarshell/projects/udesk-fever-framework_0.0.3/fever-shiro-redis/target/dependency/commons-validator-1.2.0.jar/org/apache/commons/validator/javascript/validateMinLength.js
MD5: da46b0782fe5d177f1870be17e6af8fe
SHA1: a2d0f5d74e85a798f4e4bcb34c16d49a4337eb74
SHA256:5d828180e61483e3cd82182136b299549158f196672ecfb91ad5d3ca2cfa6957

Identifiers

  • None

commons-validator-1.2.0.jar: validateRequired.js

File Path: /mnt/sonarshell/projects/udesk-fever-framework_0.0.3/fever-shiro-redis/target/dependency/commons-validator-1.2.0.jar/org/apache/commons/validator/javascript/validateRequired.js
MD5: d1b859569270ef31f933659ed7e72079
SHA1: 979e34e570ebba97d65a0b14a6b2edfb3ea1351c
SHA256:dc1f600326ae2501144979d7c26264736689f417855fa9d25cbf86a5826b6077

Identifiers

  • None

commons-validator-1.2.0.jar: validateShort.js

File Path: /mnt/sonarshell/projects/udesk-fever-framework_0.0.3/fever-shiro-redis/target/dependency/commons-validator-1.2.0.jar/org/apache/commons/validator/javascript/validateShort.js
MD5: c9a7f3816da9d111177e7d85fd5cc994
SHA1: a09c0a151273a18d68c770ef9de6bf1e1da3c1da
SHA256:325c299914ff895e24c296f62063ad6ee6d87f12946b4573292bfd53bc5ee88b

Identifiers

  • None

commons-validator-1.2.0.jar: validateUtilities.js

File Path: /mnt/sonarshell/projects/udesk-fever-framework_0.0.3/fever-shiro-redis/target/dependency/commons-validator-1.2.0.jar/org/apache/commons/validator/javascript/validateUtilities.js
MD5: 372032ecd55f8f8ce199a506396d0019
SHA1: 13d9676bb6329d1acf1dd381d1e723b52d5e55b3
SHA256:8bb5a54103a7767e0756fe5a61d802c4f6793e18a1b9ee83b5a75a188db25472

Identifiers

  • None

compiler-0.9.3.jar

Description:

Implementation of mustache.js for Java

License:

Apache License 2.0: http://www.apache.org/licenses/LICENSE-2.0
File Path: /mnt/sonarshell/projects/udesk-fever-framework_0.0.3/fever-elasticsearch/target/dependency/compiler-0.9.3.jar
MD5: 5df26dd0bf9ed3bb0af6e2dbe9cacf2b
SHA1: 2815e016c63bec4f18704ea4f5489106a5b01a99
SHA256:478ce317231ff42024bf7b6f1447a15e6d961358b564ac158ebfe4c53fdd404f

Identifiers

cucumber-core-1.2.5.jar

License:

http://www.opensource.org/licenses/mit-license
File Path: /mnt/sonarshell/projects/udesk-fever-framework_0.0.3/fever-web/target/dependency/cucumber-core-1.2.5.jar
MD5: a551e06068996e08b3a85e06ff911628
SHA1: 7255a9d8e0c3b0f9e3cd80503c91c2b088b3d9b5
SHA256:684f0f9b029a8cd28048bb2b95fc124fd325e21172be375193680943f5ea2aeb

Identifiers

cucumber-html-0.2.3.jar

Description:

Cucumber-HTML is a cross-platform HTML formatter for all the Cucumber implementations.

License:

MIT License: http://www.opensource.org/licenses/mit-license
File Path: /mnt/sonarshell/projects/udesk-fever-framework_0.0.3/fever-web/target/dependency/cucumber-html-0.2.3.jar
MD5: d46fd8733b8aa147f0e5bb37d2e1d5b8
SHA1: 624a0c986088e32910336dd77aee5191c04a8201
SHA256:79880ba60bfb52ef848c4bf6ebf1073af132ada8b0794d4c72d897e8fe25050b

Identifiers

cucumber-html-0.2.3.jar: formatter.js

File Path: /mnt/sonarshell/projects/udesk-fever-framework_0.0.3/fever-web/target/dependency/cucumber-html-0.2.3.jar/cucumber/formatter/formatter.js
MD5: 8d4c9b885995a65b7dd7572d37c90fc9
SHA1: 3e4974620c33b9e3ac789d131b8ef893e0ed8337
SHA256:3af3641b51473a6832490ed5f678338220324c989f0794075f2404ca71e928b1

Identifiers

  • None

cucumber-html-0.2.3.jar: jquery-1.8.2.min.js

File Path: /mnt/sonarshell/projects/udesk-fever-framework_0.0.3/fever-web/target/dependency/cucumber-html-0.2.3.jar/cucumber/formatter/jquery-1.8.2.min.js
MD5: 1d14cd3798bc4d6aaf65dd625870723f
SHA1: 0809f9f5caa2642b9dea8bf59133180bfd7c1d6f
SHA256:04bebecfb9f7ce92cf947ce283fccf067cf6870f65af3456dd22b6c102447c83

Identifiers

CVE-2012-6708  

jQuery before 1.9.0 is vulnerable to Cross-site Scripting (XSS) attacks. The jQuery(strInput) function does not differentiate selectors from HTML in a reliable fashion. In vulnerable versions, jQuery determined whether the input was HTML by looking for the '<' character anywhere in the string, giving attackers more flexibility when attempting to construct a malicious payload. In fixed versions, jQuery only deems the input to be HTML if it explicitly starts with the '<' character, limiting exploitability only to attackers who can control the beginning of a string, which is far less common.
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:N/I:N/A:N
CVSSv3:
  • Base Score: MEDIUM (6.1)
  • Vector: /AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References:

Vulnerable Software & Versions (NVD):

  • cpe:2.3:a:jquery:jquery:*:*:*:*:*:*:*:* versions up to (excluding) 1.9.0

CVE-2015-9251  

jQuery before 3.0.0 is vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain Ajax request is performed without the dataType option, causing text/javascript responses to be executed.
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:N/I:N/A:N
CVSSv3:
  • Base Score: MEDIUM (6.1)
  • Vector: /AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References:

Vulnerable Software & Versions (NVD):

  • cpe:2.3:a:oracle:enterprise_manager_ops_center:12.3.3:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:primavera_gateway:16.2:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:retail_customer_insights:16.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:agile_product_lifecycle_management_for_process:6.2.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:agile_product_lifecycle_management_for_process:6.2.3.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_services_gatekeeper:*:*:*:*:*:*:*:* versions up to (excluding) 6.1.0.4.0
  • cpe:2.3:a:oracle:financial_services_hedge_management_and_ifrs_valuations:*:*:*:*:*:*:*:* versions from (including) 8.0.4; versions up to (including) 8.0.7
  • cpe:2.3:a:oracle:financial_services_market_risk_measurement_and_management:8.0.6:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:business_process_management_suite:12.2.1.3.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:hospitality_guest_access:4.2.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_reconciliation_framework:8.0.5:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:*:*:*:*:*:*:*:* versions from (including) 7.3.3; versions up to (including) 7.3.5
  • cpe:2.3:a:oracle:endeca_information_discovery_studio:3.2.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:enterprise_manager_ops_center:12.2.2:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:banking_platform:2.6.0:*:*:*:*:*:*:*
  • cpe:2.3:a:jquery:jquery:*:*:*:*:*:*:*:* versions up to (excluding) 3.0.0
  • cpe:2.3:a:oracle:enterprise_operations_monitor:3.4:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:primavera_unifier:16.2:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:business_process_management_suite:12.1.3.0.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:primavera_unifier:18.8:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_interactive_session_recorder:6.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.56:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:fusion_middleware_mapviewer:12.2.1.3.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_asset_liability_management:*:*:*:*:*:*:*:* versions from (including) 8.0.4; versions up to (including) 8.0.7
  • cpe:2.3:a:oracle:primavera_unifier:16.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:insurance_insbridge_rating_and_underwriting:5.2:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:jdeveloper:11.1.1.9.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:oss_support_tools:19.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:insurance_insbridge_rating_and_underwriting:5.5:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:weblogic_server:12.1.3.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:retail_sales_audit:15.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_reconciliation_framework:8.0.6:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.55:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:insurance_insbridge_rating_and_underwriting:5.4:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:siebel_ui_framework:18.10:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:utilities_mobile_workforce_management:2.3.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:weblogic_server:12.2.1.3:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_interactive_session_recorder:6.2:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_profitability_management:*:*:*:*:*:*:*:* versions from (including) 8.0.4; versions up to (including) 8.0.6
  • cpe:2.3:a:oracle:siebel_ui_framework:18.11:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:healthcare_foundation:7.2:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:primavera_gateway:15.2:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:retail_workforce_management_software:1.64.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:retail_customer_insights:15.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:agile_product_lifecycle_management_for_process:6.2.0.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:agile_product_lifecycle_management_for_process:6.2.2.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:hospitality_reporting_and_analytics:9.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:jdeveloper:12.1.3.0.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.57:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_market_risk_measurement_and_management:8.0.5:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_interactive_session_recorder:6.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:banking_platform:2.6.2:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:healthcare_translational_research:3.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:utilities_framework:*:*:*:*:*:*:*:* versions from (including) 4.3.0.1; versions up to (including) 4.3.0.4
  • cpe:2.3:a:oracle:financial_services_loan_loss_forecasting_and_provisioning:*:*:*:*:*:*:*:* versions from (including) 8.0.2; versions up to (including) 8.0.7
  • cpe:2.3:a:oracle:financial_services_funds_transfer_pricing:*:*:*:*:*:*:*:* versions from (including) 8.0.4; versions up to (including) 8.0.7
  • cpe:2.3:a:oracle:jdeveloper:12.2.1.3.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:primavera_gateway:17.12:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:jd_edwards_enterpriseone_tools:9.2:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:real-time_scheduler:2.3.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:retail_workforce_management_software:1.60.9:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:enterprise_operations_monitor:4.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_data_integration_hub:*:*:*:*:*:*:*:* versions from (including) 8.0.5; versions up to (including) 8.0.7
  • cpe:2.3:a:oracle:agile_product_lifecycle_management_for_process:6.2.3.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_converged_application_server:*:*:*:*:*:*:*:* versions up to (excluding) 7.0.0.1
  • cpe:2.3:a:oracle:service_bus:12.1.3.0.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:hospitality_guest_access:4.2.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:banking_platform:2.6.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:service_bus:12.2.1.3.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_webrtc_session_controller:*:*:*:*:*:*:*:* versions up to (excluding) 7.2
  • cpe:2.3:a:oracle:business_process_management_suite:11.1.1.9.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:retail_invoice_matching:15.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:retail_allocation:15.0.2:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:healthcare_foundation:7.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:endeca_information_discovery_studio:3.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:webcenter_sites:11.1.1.8.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_liquidity_risk_management:*:*:*:*:*:*:*:* versions from (including) 8.0.2; versions up to (including) 8.0.6
  • cpe:2.3:a:oracle:hospitality_materials_control:18.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:hospitality_cruise_fleet_management:9.0.11:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:*:*:*:*:*:*:*:* versions from (including) 8.0.0; versions up to (including) 8.0.7
  • cpe:2.3:a:oracle:primavera_unifier:*:*:*:*:*:*:*:* versions from (including) 17.1; versions up to (including) 17.12

CVE-2019-11358  

jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable __proto__ property, it could extend the native Object.prototype.
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:N/I:N/A:N
CVSSv3:
  • Base Score: MEDIUM (6.1)
  • Vector: /AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References:

Vulnerable Software & Versions (NVD):

  • cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:* versions from (including) 8.5.0; versions up to (excluding) 8.5.15
  • cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:* versions from (including) 7.0; versions up to (excluding) 7.66
  • cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:* versions from (including) 8.6.0; versions up to (excluding) 8.6.15
  • cpe:2.3:a:jquery:jquery:*:*:*:*:*:*:*:* versions up to (excluding) 3.4.0
  • cpe:2.3:a:backdropcms:backdrop:*:*:*:*:*:*:*:* versions from (including) 1.12.0; versions up to (excluding) 1.12.6
  • cpe:2.3:a:backdropcms:backdrop:*:*:*:*:*:*:*:* versions from (including) 1.11.0; versions up to (excluding) 1.11.9

CVE-2020-11022  

In jQuery versions greater than or equal to 1.2 and before 3.5.0, passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:N/I:N/A:N
CVSSv3:
  • Base Score: MEDIUM (6.1)
  • Vector: /AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References:

Vulnerable Software & Versions (NVD):

  • cpe:2.3:a:jquery:jquery:*:*:*:*:*:*:*:* versions from (including) 1.2; versions up to (excluding) 3.5.0

CVE-2020-11023  

In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing HTML containing <option> elements from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:N/I:N/A:N
CVSSv3:
  • Base Score: MEDIUM (6.1)
  • Vector: /AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References:

Vulnerable Software & Versions (NVD):

  • cpe:2.3:a:jquery:jquery:*:*:*:*:*:*:*:* versions from (including) 1.0.3; versions up to (excluding) 3.5.0

cucumber-java-1.2.5.jar

License:

http://www.opensource.org/licenses/mit-license
File Path: /mnt/sonarshell/projects/udesk-fever-framework_0.0.3/fever-web/target/dependency/cucumber-java-1.2.5.jar
MD5: 80d2fa0c69445a2f9965ebbb09bab7b9
SHA1: 02197dfa9cd7899ddce136a356994ac21f438f80
SHA256:cf21bc8033e4c53d6d71e018c28fb91f1461b573b8683ff45e428c5e06ec0009

Identifiers

cucumber-junit-1.2.5.jar

License:

http://www.opensource.org/licenses/mit-license
File Path: /mnt/sonarshell/projects/udesk-fever-framework_0.0.3/fever-web/target/dependency/cucumber-junit-1.2.5.jar
MD5: 4a7d3cf9674b1c2b9f27ac29ca944dbe
SHA1: 7cedd85f2e6b4f2fa1091c921f509275c60e7500
SHA256:68a700057376c38a6595de2d4d84b39ff357377f7a75b480f40f188bdec15190

Identifiers

cucumber-jvm-deps-1.0.5.jar

License:

BSD License: http://xstream.codehaus.org/license.html
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0
File Path: /mnt/sonarshell/projects/udesk-fever-framework_0.0.3/fever-web/target/dependency/cucumber-jvm-deps-1.0.5.jar
MD5: 70e82952895639a7eb4b0e3df72189e8
SHA1: 69ed0efe4b81f05da3c0bdc7281cbdc43f5ceb26
SHA256:2a4e84a51defe9108579b3c0a86bb41e54f04e9042e83adf4348a974dcf1dee6

Identifiers

cucumber-jvm-deps-1.0.5.jar (shaded: com.googlecode.java-diff-utils:diffutils:1.3.0)

Description:

The DiffUtils library for computing diffs, applying patches, generationg side-by-side view in Java.

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /mnt/sonarshell/projects/udesk-fever-framework_0.0.3/fever-web/target/dependency/cucumber-jvm-deps-1.0.5.jar/META-INF/maven/com.googlecode.java-diff-utils/diffutils/pom.xml
MD5: 7840396763fafd8850bd483e096af3c7
SHA1: 7d5e372ff32c90095800f96d8308c41af0285a41
SHA256:2fe31dd6309b0f5f195bbdc4749cfc0af065d61f06cfe183dfd2f2092ab847b6

Identifiers

cucumber-jvm-deps-1.0.5.jar (shaded: com.thoughtworks.xstream:xstream:1.4.8)

File Path: /mnt/sonarshell/projects/udesk-fever-framework_0.0.3/fever-web/target/dependency/cucumber-jvm-deps-1.0.5.jar/META-INF/maven/com.thoughtworks.xstream/xstream/pom.xml
MD5: fc12b288915d4cb2952ad6f58feb9f1a
SHA1: d673dea56fb9fac5d35d7f909aee94df4f78431d
SHA256:8ba35dd4ea1647b89a8ae082bb6c81d5695a1ec31e73aa57bfa3512069c4bee2

Identifiers

CVE-2016-3674  

Multiple XML external entity (XXE) vulnerabilities in the (1) Dom4JDriver, (2) DomDriver, (3) JDomDriver, (4) JDom2Driver, (5) SjsxpDriver, (6) StandardStaxDriver, and (7) WstxDriver drivers in XStream before 1.4.9 allow remote attackers to read arbitrary files via a crafted XML document.
CWE-200 Information Exposure

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:N
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: /AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

References:

Vulnerable Software & Versions:

CVE-2017-7957  

XStream through 1.4.9, when a certain denyTypes workaround is not used, mishandles attempts to create an instance of the primitive type 'void' during unmarshalling, leading to a remote application crash, as demonstrated by an xstream.fromXML("<void/>") call.
CWE-20 Improper Input Validation

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:P
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: /AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions:

cucumber-spring-1.2.5.jar

File Path: /mnt/sonarshell/projects/udesk-fever-framework_0.0.3/fever-web/target/dependency/cucumber-spring-1.2.5.jar
MD5: 49e5177563fa90a033aded1bc03f60d5
SHA1: 2b96b04759ce9719d20ea74aab59e06e6db5274b
SHA256:f1f182c627e8e230ef5a12163c503bf049996ff2e272141e7d4105c5069d2cd5

Identifiers

doxia-core-1.1.2.jar

Description:

Doxia core classes and interfaces.

File Path: /mnt/sonarshell/projects/udesk-fever-framework_0.0.3/fever-upload/target/dependency/doxia-core-1.1.2.jar
MD5: 19e5116cd565146e47b504eb5f15476d
SHA1: 30b5f95ed31d612ad3c64af82904f82e6d4ab29c
SHA256:bc5ad57d743890d0a6cefc9f1f3151605008179abc7bfa07be3afbb792fe63e8

Identifiers

doxia-decoration-model-1.1.2.jar

Description:

The Decoration Model handles the site descriptor, also known as site.xml.

File Path: /mnt/sonarshell/projects/udesk-fever-framework_0.0.3/fever-web/target/dependency/doxia-decoration-model-1.1.2.jar
MD5: a3f0de9c545ae6309919499e28176181
SHA1: 172cda539c83280c3f7a60022337f454e98c029d
SHA256:a797fc74e1f9c34d447dad503ed9f35fcf4926617924de314e3009b6f3c90eed

Identifiers

doxia-logging-api-1.1.jar

Description:

Doxia Logging API.

File Path: /mnt/sonarshell/projects/udesk-fever-framework_0.0.3/fever-batch/target/dependency/doxia-logging-api-1.1.jar
MD5: 8e93b74b3fb7353322069d4c996c7887
SHA1: c8fe274396e40452ca3e6121f6dd00220b210d48
SHA256:80f1b67a2f698f0e8dd11e5cedfc28c5b8e6fb2986adf939bfa04d92d9367d66

Identifiers

doxia-module-fml-1.1.2.jar

Description:

A Doxia module for FML source documents.

File Path: /mnt/sonarshell/projects/udesk-fever-framework_0.0.3/fever-upload/target/dependency/doxia-module-fml-1.1.2.jar
MD5: 6178979e5be52dc4dd8fa22cce0fd706
SHA1: 923531d55433db173b9479cd7af7ef5c2ee023da
SHA256:99cfc10cdb5401d12df0a1ec54b24cf366de17e3988f90b4068802537a19df35

Identifiers

doxia-module-xhtml-1.1.2.jar

Description:

A Doxia module for Xhtml source documents.

File Path: /mnt/sonarshell/projects/udesk-fever-framework_0.0.3/fever-search/target/dependency/doxia-module-xhtml-1.1.2.jar
MD5: c8dbf38e471b017881e05d0a9d1e9c6f
SHA1: 11566856aa0bd7780842de4be791d583df8ad8bf
SHA256:013f5703944a129f7d1706414bb8e9f452b6aed1b353db15cdaf4d498671f31a

Identifiers

doxia-sink-api-1.1.jar

Description:

Doxia Sink API.

File Path: /mnt/sonarshell/projects/udesk-fever-framework_0.0.3/fever-sms-http/target/dependency/doxia-sink-api-1.1.jar
MD5: 83936a5b87b5a2ead35c8987d984b14a
SHA1: 9fc15c69e09a14fd07acba7300009eff6e692a44
SHA256:c59e706156064a6a02444212b16cec3f3403bd626f124223abeaaf8f66447e92

Identifiers

doxia-site-renderer-1.1.2.jar

Description:

The Site Renderer handles the rendering of sites.

File Path: /mnt/sonarshell/projects/udesk-fever-framework_0.0.3/fever-metrics/target/dependency/doxia-site-renderer-1.1.2.jar
MD5: fda936ce523db8f09b3123d516aec628
SHA1: 3b089bbe153468845e6caabd35c2a8b879939ee4
SHA256:5611125ec58a28db821dedfb76f90c1c2197e8f992555f3d4ca3efb5fc8e7066

Identifiers

druid-1.0.23.jar

Description:

An JDBC datasource implementation.

License:

Apache 2: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /mnt/sonarshell/projects/udesk-fever-framework_0.0.3/fever-common/target/dependency/druid-1.0.23.jar
MD5: 4ef7bc3e39d615fc919796d0cf53fe27
SHA1: 2c1ea1f15b2820fb3cc5d9255f9540b99cdeefe6
SHA256:138a3b48b628c776a4c5c87817377da5a69d4a2a0ab5280724e3051a8c65e3ea

Identifiers

druid-1.0.23.jar: bootstrap.min.js

File Path: /mnt/sonarshell/projects/udesk-fever-framework_0.0.3/fever-common/target/dependency/druid-1.0.23.jar/support/http/resources/js/bootstrap.min.js
MD5: e90c5ecfa0f7dcfdb6b8ef8aa756aceb
SHA1: 17686183020cff03e19e960ac8c135c3e9652174
SHA256:354751191e20ab0c948f00065077d20313dfd68305c0a43757c68e1e8ec3d647

Identifiers

  • None

druid-1.0.23.jar: common.js

File Path: /mnt/sonarshell/projects/udesk-fever-framework_0.0.3/fever-common/target/dependency/druid-1.0.23.jar/support/http/resources/js/common.js
MD5: fb71736f1c59fdf73e305d09283593f1
SHA1: 13572254dc71394f73307b33a9f37773194d26a8
SHA256:79e0b1da2f28f7d519f1197e5e96f3dcf0a56c333d4e6f0dfe6f107f08e5ddb7

Identifiers

  • None

druid-1.0.23.jar: doT.js

File Path: /mnt/sonarshell/projects/udesk-fever-framework_0.0.3/fever-common/target/dependency/druid-1.0.23.jar/support/http/resources/js/doT.js
MD5: bb0029bab77e01e80957dc8155c09ad6
SHA1: d8922e15f3348769feb4d96ee14b644b90ca5f54
SHA256:81d508eb6eb011e638b8f2c67f1d12c6a1be9a0b93f8259094fdefde2c87346d

Identifiers

  • None

druid-1.0.23.jar: jquery.min.js

File Path: /mnt/sonarshell/projects/udesk-fever-framework_0.0.3/fever-common/target/dependency/druid-1.0.23.jar/support/http/resources/js/jquery.min.js
MD5: a5cec7920ad750f7a5d9f13742797df7
SHA1: bec218fe5096d480c9e6ad8c0aaa950de65aeab2
SHA256:bef783339172a7feca5c8f71e4ffe019cded8c4da4de3e3c76c20b20157af5cc

Identifiers

CVE-2012-6708  

jQuery before 1.9.0 is vulnerable to Cross-site Scripting (XSS) attacks. The jQuery(strInput) function does not differentiate selectors from HTML in a reliable fashion. In vulnerable versions, jQuery determined whether the input was HTML by looking for the '<' character anywhere in the string, giving attackers more flexibility when attempting to construct a malicious payload. In fixed versions, jQuery only deems the input to be HTML if it explicitly starts with the '<' character, limiting exploitability only to attackers who can control the beginning of a string, which is far less common.
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:N/I:N/A:N
CVSSv3:
  • Base Score: MEDIUM (6.1)
  • Vector: /AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References:

Vulnerable Software & Versions (NVD):

  • cpe:2.3:a:jquery:jquery:*:*:*:*:*:*:*:* versions up to (excluding) 1.9.0

CVE-2015-9251  

jQuery before 3.0.0 is vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain Ajax request is performed without the dataType option, causing text/javascript responses to be executed.
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:N/I:N/A:N
CVSSv3:
  • Base Score: MEDIUM (6.1)
  • Vector: /AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References:

Vulnerable Software & Versions (NVD):

  • cpe:2.3:a:oracle:enterprise_manager_ops_center:12.3.3:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:primavera_gateway:16.2:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:retail_customer_insights:16.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:agile_product_lifecycle_management_for_process:6.2.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:agile_product_lifecycle_management_for_process:6.2.3.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_services_gatekeeper:*:*:*:*:*:*:*:* versions up to (excluding) 6.1.0.4.0
  • cpe:2.3:a:oracle:financial_services_hedge_management_and_ifrs_valuations:*:*:*:*:*:*:*:* versions from (including) 8.0.4; versions up to (including) 8.0.7
  • cpe:2.3:a:oracle:financial_services_market_risk_measurement_and_management:8.0.6:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:business_process_management_suite:12.2.1.3.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:hospitality_guest_access:4.2.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_reconciliation_framework:8.0.5:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:*:*:*:*:*:*:*:* versions from (including) 7.3.3; versions up to (including) 7.3.5
  • cpe:2.3:a:oracle:endeca_information_discovery_studio:3.2.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:enterprise_manager_ops_center:12.2.2:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:banking_platform:2.6.0:*:*:*:*:*:*:*
  • cpe:2.3:a:jquery:jquery:*:*:*:*:*:*:*:* versions up to (excluding) 3.0.0
  • cpe:2.3:a:oracle:enterprise_operations_monitor:3.4:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:primavera_unifier:16.2:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:business_process_management_suite:12.1.3.0.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:primavera_unifier:18.8:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_interactive_session_recorder:6.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.56:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:fusion_middleware_mapviewer:12.2.1.3.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_asset_liability_management:*:*:*:*:*:*:*:* versions from (including) 8.0.4; versions up to (including) 8.0.7
  • cpe:2.3:a:oracle:primavera_unifier:16.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:insurance_insbridge_rating_and_underwriting:5.2:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:jdeveloper:11.1.1.9.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:oss_support_tools:19.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:insurance_insbridge_rating_and_underwriting:5.5:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:weblogic_server:12.1.3.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:retail_sales_audit:15.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_reconciliation_framework:8.0.6:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.55:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:insurance_insbridge_rating_and_underwriting:5.4:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:siebel_ui_framework:18.10:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:utilities_mobile_workforce_management:2.3.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:weblogic_server:12.2.1.3:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_interactive_session_recorder:6.2:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_profitability_management:*:*:*:*:*:*:*:* versions from (including) 8.0.4; versions up to (including) 8.0.6
  • cpe:2.3:a:oracle:siebel_ui_framework:18.11:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:healthcare_foundation:7.2:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:primavera_gateway:15.2:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:retail_workforce_management_software:1.64.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:retail_customer_insights:15.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:agile_product_lifecycle_management_for_process:6.2.0.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:agile_product_lifecycle_management_for_process:6.2.2.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:hospitality_reporting_and_analytics:9.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:jdeveloper:12.1.3.0.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.57:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_market_risk_measurement_and_management:8.0.5:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_interactive_session_recorder:6.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:banking_platform:2.6.2:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:healthcare_translational_research:3.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:utilities_framework:*:*:*:*:*:*:*:* versions from (including) 4.3.0.1; versions up to (including) 4.3.0.4
  • cpe:2.3:a:oracle:financial_services_loan_loss_forecasting_and_provisioning:*:*:*:*:*:*:*:* versions from (including) 8.0.2; versions up to (including) 8.0.7
  • cpe:2.3:a:oracle:financial_services_funds_transfer_pricing:*:*:*:*:*:*:*:* versions from (including) 8.0.4; versions up to (including) 8.0.7
  • cpe:2.3:a:oracle:jdeveloper:12.2.1.3.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:primavera_gateway:17.12:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:jd_edwards_enterpriseone_tools:9.2:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:real-time_scheduler:2.3.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:retail_workforce_management_software:1.60.9:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:enterprise_operations_monitor:4.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_data_integration_hub:*:*:*:*:*:*:*:* versions from (including) 8.0.5; versions up to (including) 8.0.7
  • cpe:2.3:a:oracle:agile_product_lifecycle_management_for_process:6.2.3.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_converged_application_server:*:*:*:*:*:*:*:* versions up to (excluding) 7.0.0.1
  • cpe:2.3:a:oracle:service_bus:12.1.3.0.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:hospitality_guest_access:4.2.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:banking_platform:2.6.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:service_bus:12.2.1.3.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_webrtc_session_controller:*:*:*:*:*:*:*:* versions up to (excluding) 7.2
  • cpe:2.3:a:oracle:business_process_management_suite:11.1.1.9.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:retail_invoice_matching:15.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:retail_allocation:15.0.2:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:healthcare_foundation:7.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:endeca_information_discovery_studio:3.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:webcenter_sites:11.1.1.8.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_liquidity_risk_management:*:*:*:*:*:*:*:* versions from (including) 8.0.2; versions up to (including) 8.0.6
  • cpe:2.3:a:oracle:hospitality_materials_control:18.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:hospitality_cruise_fleet_management:9.0.11:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:*:*:*:*:*:*:*:* versions from (including) 8.0.0; versions up to (including) 8.0.7
  • cpe:2.3:a:oracle:primavera_unifier:*:*:*:*:*:*:*:* versions from (including) 17.1; versions up to (including) 17.12

CVE-2019-11358  

jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable __proto__ property, it could extend the native Object.prototype.
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:N/I:N/A:N
CVSSv3:
  • Base Score: MEDIUM (6.1)
  • Vector: /AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References:

Vulnerable Software & Versions (NVD):

  • cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:* versions from (including) 8.5.0; versions up to (excluding) 8.5.15
  • cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:* versions from (including) 7.0; versions up to (excluding) 7.66
  • cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:* versions from (including) 8.6.0; versions up to (excluding) 8.6.15
  • cpe:2.3:a:jquery:jquery:*:*:*:*:*:*:*:* versions up to (excluding) 3.4.0
  • cpe:2.3:a:backdropcms:backdrop:*:*:*:*:*:*:*:* versions from (including) 1.12.0; versions up to (excluding) 1.12.6
  • cpe:2.3:a:backdropcms:backdrop:*:*:*:*:*:*:*:* versions from (including) 1.11.0; versions up to (excluding) 1.11.9

CVE-2020-11022  

In jQuery versions greater than or equal to 1.2 and before 3.5.0, passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:N/I:N/A:N
CVSSv3:
  • Base Score: MEDIUM (6.1)
  • Vector: /AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References:

Vulnerable Software & Versions (NVD):

  • cpe:2.3:a:jquery:jquery:*:*:*:*:*:*:*:* versions from (including) 1.2; versions up to (excluding) 3.5.0

CVE-2020-11023  

In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing HTML containing <option> elements from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:N/I:N/A:N
CVSSv3:
  • Base Score: MEDIUM (6.1)
  • Vector: /AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References:

Vulnerable Software & Versions (NVD):

  • cpe:2.3:a:jquery:jquery:*:*:*:*:*:*:*:* versions from (including) 1.0.3; versions up to (excluding) 3.5.0

druid-1.0.23.jar: lang.js

File Path: /mnt/sonarshell/projects/udesk-fever-framework_0.0.3/fever-common/target/dependency/druid-1.0.23.jar/support/http/resources/js/lang.js
MD5: ec0c5411b128b5fadadc023ff52533fa
SHA1: 2e7915818acca0afe1816b1c60ead9cf7fc7cfe7
SHA256:d8fd86f83e5f6e12d33add2d0b3aa99027e370ca9935596145c908ab623b125d

Identifiers

  • None

ehcache-2.10.3.jar

Description:

Ehcache is an open source, standards-based cache used to boost performance,
  offload the database and simplify scalability. Ehcache is robust, proven and full-featured and
  this has made it the most widely-used Java-based cache.

License:

The Apache Software License, Version 2.0: src/assemble/EHCACHE-CORE-LICENSE.txt
File Path: /mnt/sonarshell/projects/udesk-fever-framework_0.0.3/fever-search/target/dependency/ehcache-2.10.3.jar
MD5: 4abeb9314789f894dc00144a70dedc08
SHA1: cf74f9a4a049f181833b147a1d9aa62159c9d01d
SHA256:61954bb0c48d49cf1df4a3c3fa1bb42c95bebcf5c3e0be6548a26bb063b3c726

Identifiers

ehcache-core-2.6.11.jar

Description:

This is the ehcache core module. Pair it with other modules for added functionality.

License:

The Apache Software License, Version 2.0: src/assemble/EHCACHE-CORE-LICENSE.txt
File Path: /mnt/sonarshell/projects/udesk-fever-framework_0.0.3/fever-search/target/dependency/ehcache-core-2.6.11.jar
MD5: 81840aace00ec514154d6dac91ba43e5
SHA1: fae7f84a5ffabe1b814e40190650c0ad5aeda5b1
SHA256:ffe3580aadb6e07f86e49e326f3402fe8dfbf3470eb2782d68507bd31d75af88

Identifiers

ehcache-core-2.6.11.jar: sizeof-agent.jar

File Path: /mnt/sonarshell/projects/udesk-fever-framework_0.0.3/fever-search/target/dependency/ehcache-core-2.6.11.jar/net/sf/ehcache/pool/sizeof/sizeof-agent.jar
MD5: 5ad919b3ac0516897bdca079c9a222a8
SHA1: e86399a80ae6a6c7a563717eaa0ce9ba4708571c
SHA256:3bcd560ca5f05248db9b689244b043e9c7549e3791281631a64e5dfff15870d2

Identifiers

elasticsearch-5.2.1.jar

Description:

Elasticsearch subproject :core

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /mnt/sonarshell/projects/udesk-fever-framework_0.0.3/fever-search/target/dependency/elasticsearch-5.2.1.jar
MD5: 9db6610f4987889afa9bd6b2c96b492b
SHA1: 34ab99e9afe6b396aaf12dc5dc68bad3116df812
SHA256:081ea19f0795b7c5330539ec066027bfd3870f8a7bbe7b3fc35a0825ceb058cd

Identifiers

CVE-2019-7611  

A permission issue was found in Elasticsearch versions before 5.6.15 and 6.6.1 when Field Level Security and Document Level Security are disabled and the _aliases, _shrink, or _split endpoints are used . If the elasticsearch.yml file has xpack.security.dls_fls.enabled set to false, certain permission checks are skipped when users perform one of the actions mentioned above, to make existing data available under a new index/alias name. This could result in an attacker gaining additional permissions against a restricted index.
NVD-CWE-Other

CVSSv2:
  • Base Score: MEDIUM (6.8)
  • Vector: /AV:N/AC:M/Au:N/C:P/I:P/A:P
CVSSv3:
  • Base Score: HIGH (8.1)
  • Vector: /AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2019-7614  

A race condition flaw was found in the response headers Elasticsearch versions before 7.2.1 and 6.8.2 returns to a request. On a system with multiple users submitting requests, it could be possible for an attacker to gain access to response header containing sensitive data from another user.
CWE-362 Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:P/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (5.9)
  • Vector: /AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2020-7019  

In Elasticsearch before 7.9.0 and 6.8.12 a field disclosure flaw was found when running a scrolling search with Field Level Security. If a user runs the same query another more privileged user recently ran, the scrolling search can leak fields that should be hidden. This could result in an attacker gaining additional permissions against a restricted index.
CWE-269 Improper Privilege Management

CVSSv2:
  • Base Score: MEDIUM (4.0)
  • Vector: /AV:N/AC:L/Au:S/C:P/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (6.5)
  • Vector: /AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

References:

Vulnerable Software & Versions: (show all)

encoder-1.2.2.jar

Description:

        The OWASP Encoders package is a collection of high-performance low-overhead
        contextual encoders, that when utilized correctly, is an effective tool in
        preventing Web Application security vulnerabilities such as Cross-Site
        Scripting.
    

File Path: /mnt/sonarshell/projects/udesk-fever-framework_0.0.3/fever-shiro-redis/target/dependency/encoder-1.2.2.jar
MD5: f359154223ac1d471da94e54217df4db
SHA1: 664346e62c3a95e1de5153db231bd283392a9532
SHA256:32313d4f4fa494c86cb236664e74723231b9418028c7cfc6d61cc4d14c4a993f

Identifiers

ezmorph-1.0.6.jar

Description:

      Simple java library for transforming an Object to another Object.
   

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /mnt/sonarshell/projects/udesk-fever-framework_0.0.3/fever-upload/target/dependency/ezmorph-1.0.6.jar
MD5: 1fa113c6aacf3a01af1449df77acd474
SHA1: 01e55d2a0253ea37745d33062852fd2c90027432
SHA256:2be06a2380f8656426b5c610db694bbd75314caf3e9191affcd7942721398ed7

Identifiers

fast-classpath-scanner-2.0.13.jar

Description:

	Uber-fast, ultra-lightweight Java classpath scanner. Scans the classpath by parsing the classfile  binary format directly rather than by using reflection.
	See https://github.com/lukehutch/fast-classpath-scanner
	

License:

The MIT License (MIT): http://opensource.org/licenses/MIT
File Path: /mnt/sonarshell/projects/udesk-fever-framework_0.0.3/fever-shiro-redis/target/dependency/fast-classpath-scanner-2.0.13.jar
MD5: 57606ae1a69410cb46a534c2ab783cdf
SHA1: 9a19e36a388037f0b632a66684653dd09352c610
SHA256:d21ce8c9abf59f1d45a1f7bb18b7d136637f3f18e422345e3bcb677faeaf34fc

Identifiers

fastjson-1.2.70.jar

Description:

Fastjson is a JSON processor (JSON parser + JSON generator) written in Java

License:

Apache 2: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /mnt/sonarshell/projects/udesk-fever-framework_0.0.3/fever-config-center/target/dependency/fastjson-1.2.70.jar
MD5: b5b9cec4ce6b5ca134c9092aea2224c4
SHA1: 77e20a36181005ad6d838254d52b3fa949e95dfe
SHA256:cdde33b0152875b62dce0420177e7788a41050e0b0df805116ead89dc959a9d0

Identifiers

fever-batch-0.0.3-SNAPSHOT.jar

File Path: /mnt/sonarshell/projects/udesk-fever-framework_0.0.3/fever-batch/target/fever-batch-0.0.3-SNAPSHOT.jar
MD5: 9ce425d5a08b0f072f18f7f9a8445610
SHA1: 0967c873a3b8a83560b3e295754fa401e24ebc31
SHA256:3bc78d5c24e6ace1b8ebc697ada962c3ca19435e5987d1099b080499e4942993

Identifiers

CVE-2019-3774  

Spring Batch versions 3.0.9, 4.0.1, 4.1.0, and older unsupported versions, were susceptible to XML External Entity Injection (XXE) when receiving XML data from untrusted sources.
CWE-611 Improper Restriction of XML External Entity Reference ('XXE')

CVSSv2:
  • Base Score: HIGH (7.5)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: /AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

fever-common-0.0.3-SNAPSHOT.jar

File Path: /mnt/sonarshell/projects/udesk-fever-framework_0.0.3/fever-search/target/dependency/fever-common-0.0.3-SNAPSHOT.jar
MD5: 0562ac25fa058c8acea14a484e3d4c40
SHA1: baca401c12bda31825b6ee848563f9d2d071a5fb
SHA256:23764afb37ec1ac2bf50c4c2ffa8cfdd6e6c00e5fbe443e4901376423659dbd7

Identifiers

CVE-2016-9878  

An issue was discovered in Pivotal Spring Framework before 3.2.18, 4.2.x before 4.2.9, and 4.3.x before 4.3.5. Paths provided to the ResourceServlet were not properly sanitized and as a result exposed to directory traversal attacks.
CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:N
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: /AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2017-8046  

Malicious PATCH requests submitted to servers using Spring Data REST versions prior to 2.6.9 (Ingalls SR9), versions prior to 3.0.1 (Kay SR1) and Spring Boot versions prior to 1.5.9, 2.0 M6 can use specially crafted JSON data to run arbitrary Java code.
CWE-20 Improper Input Validation

CVSSv2:
  • Base Score: HIGH (7.5)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: /AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2018-1196  

Spring Boot supports an embedded launch script that can be used to easily run the application as a systemd or init.d linux service. The script included with Spring Boot 1.5.9 and earlier and 2.0.0.M1 through 2.0.0.M7 is susceptible to a symlink attack which allows the "run_user" to overwrite and take ownership of any file on the same system. In order to instigate the attack, the application must be installed as a service and the "run_user" requires shell access to the server. Spring Boot application that are not installed as a service, or are not using the embedded launch script are not susceptible.
CWE-59 Improper Link Resolution Before File Access ('Link Following')

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:N/I:N/A:N
CVSSv3:
  • Base Score: MEDIUM (5.9)
  • Vector: /AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2018-1270  

Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, allow applications to expose STOMP over WebSocket endpoints with a simple, in-memory STOMP broker through the spring-messaging module. A malicious user (or attacker) can craft a message to the broker that can lead to a remote code execution attack.
CWE-358 Improperly Implemented Security Check for Standard

CVSSv2:
  • Base Score: HIGH (7.5)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: /AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2018-1271  

Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, allow applications to configure Spring MVC to serve static resources (e.g. CSS, JS, images). When static resources are served from a file system on Windows (as opposed to the classpath, or the ServletContext), a malicious user can send a request using a specially crafted URL that can lead a directory traversal attack.
CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:P/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (5.9)
  • Vector: /AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2018-1272  

Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, provide client-side support for multipart requests. When Spring MVC or Spring WebFlux server application (server A) receives input from a remote client, and then uses that input to make a multipart request to another server (server B), it can be exposed to an attack, where an extra multipart is inserted in the content of the request from server A, causing server B to use the wrong value for a part it expects. This could to lead privilege escalation, for example, if the part content represents a username or user roles.
NVD-CWE-noinfo

CVSSv2:
  • Base Score: MEDIUM (6.0)
  • Vector: /AV:N/AC:M/Au:S/C:P/I:P/A:P
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: /AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2020-5421  

In Spring Framework versions 5.2.0 - 5.2.8, 5.1.0 - 5.1.17, 5.0.0 - 5.0.18, 4.3.0 - 4.3.28, and older unsupported versions, the protections against RFD attacks from CVE-2015-5211 may be bypassed depending on the browser used through the use of a jsessionid path parameter.
NVD-CWE-noinfo

CVSSv2:
  • Base Score: LOW (3.6)
  • Vector: /AV:N/AC:H/Au:S/C:P/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (6.5)
  • Vector: /AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:H/A:N

References:

Vulnerable Software & Versions: (show all)

fever-config-center-0.0.3-SNAPSHOT.jar

File Path: /mnt/sonarshell/projects/udesk-fever-framework_0.0.3/fever-config-center/target/fever-config-center-0.0.3-SNAPSHOT.jar
MD5: e0b381e73dcd81bd39aff14fcf9ec004
SHA1: e8047f507bd2e6970bfb21d498b6d31a215d88fc
SHA256:f7c18f3bd3129fecafc2e71094a182be1501b9e00006470672d00f17fe610c04

Identifiers

CVE-2016-9878  

An issue was discovered in Pivotal Spring Framework before 3.2.18, 4.2.x before 4.2.9, and 4.3.x before 4.3.5. Paths provided to the ResourceServlet were not properly sanitized and as a result exposed to directory traversal attacks.
CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:N
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: /AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2017-8046  

Malicious PATCH requests submitted to servers using Spring Data REST versions prior to 2.6.9 (Ingalls SR9), versions prior to 3.0.1 (Kay SR1) and Spring Boot versions prior to 1.5.9, 2.0 M6 can use specially crafted JSON data to run arbitrary Java code.
CWE-20 Improper Input Validation

CVSSv2:
  • Base Score: HIGH (7.5)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: /AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2018-1196  

Spring Boot supports an embedded launch script that can be used to easily run the application as a systemd or init.d linux service. The script included with Spring Boot 1.5.9 and earlier and 2.0.0.M1 through 2.0.0.M7 is susceptible to a symlink attack which allows the "run_user" to overwrite and take ownership of any file on the same system. In order to instigate the attack, the application must be installed as a service and the "run_user" requires shell access to the server. Spring Boot application that are not installed as a service, or are not using the embedded launch script are not susceptible.
CWE-59 Improper Link Resolution Before File Access ('Link Following')

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:N/I:N/A:N
CVSSv3:
  • Base Score: MEDIUM (5.9)
  • Vector: /AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2018-1270  

Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, allow applications to expose STOMP over WebSocket endpoints with a simple, in-memory STOMP broker through the spring-messaging module. A malicious user (or attacker) can craft a message to the broker that can lead to a remote code execution attack.
CWE-358 Improperly Implemented Security Check for Standard

CVSSv2:
  • Base Score: HIGH (7.5)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: /AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2018-1271  

Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, allow applications to configure Spring MVC to serve static resources (e.g. CSS, JS, images). When static resources are served from a file system on Windows (as opposed to the classpath, or the ServletContext), a malicious user can send a request using a specially crafted URL that can lead a directory traversal attack.
CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:P/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (5.9)
  • Vector: /AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2018-1272  

Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, provide client-side support for multipart requests. When Spring MVC or Spring WebFlux server application (server A) receives input from a remote client, and then uses that input to make a multipart request to another server (server B), it can be exposed to an attack, where an extra multipart is inserted in the content of the request from server A, causing server B to use the wrong value for a part it expects. This could to lead privilege escalation, for example, if the part content represents a username or user roles.
NVD-CWE-noinfo

CVSSv2:
  • Base Score: MEDIUM (6.0)
  • Vector: /AV:N/AC:M/Au:S/C:P/I:P/A:P
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: /AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2020-5421  

In Spring Framework versions 5.2.0 - 5.2.8, 5.1.0 - 5.1.17, 5.0.0 - 5.0.18, 4.3.0 - 4.3.28, and older unsupported versions, the protections against RFD attacks from CVE-2015-5211 may be bypassed depending on the browser used through the use of a jsessionid path parameter.
NVD-CWE-noinfo

CVSSv2:
  • Base Score: LOW (3.6)
  • Vector: /AV:N/AC:H/Au:S/C:P/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (6.5)
  • Vector: /AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:H/A:N

References:

Vulnerable Software & Versions: (show all)

fever-elasticsearch-0.0.3-SNAPSHOT.jar

File Path: /mnt/sonarshell/projects/udesk-fever-framework_0.0.3/fever-batch/target/dependency/fever-elasticsearch-0.0.3-SNAPSHOT.jar
MD5: 3c9ed2e927a6d58121c026904e7427a1
SHA1: 7224553764003b4f0dc384b49f2b863d68f1a8d5
SHA256:f512b64c4503f76ee5f0475471891cea682529d2bc818d83d981effb622a7f66

Identifiers

CVE-2014-3120  

The default configuration in Elasticsearch before 1.2 enables dynamic scripting, which allows remote attackers to execute arbitrary MVEL expressions and Java code via the source parameter to _search.  NOTE: this only violates the vendor's intended security policy if the user does not run Elasticsearch in its own independent virtual machine.
CWE-284 Improper Access Control

CVSSv2:
  • Base Score: MEDIUM (6.8)
  • Vector: /AV:N/AC:M/Au:N/C:P/I:P/A:P

References:

Vulnerable Software & Versions:

CVE-2014-6439  

Cross-site scripting (XSS) vulnerability in the CORS functionality in Elasticsearch before 1.4.0.Beta1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:N/I:N/A:N

References:

Vulnerable Software & Versions:

CVE-2015-1427  

The Groovy scripting engine in Elasticsearch before 1.3.8 and 1.4.x before 1.4.3 allows remote attackers to bypass the sandbox protection mechanism and execute arbitrary shell commands via a crafted script.
CWE-284 Improper Access Control

CVSSv2:
  • Base Score: HIGH (7.5)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P

References:

Vulnerable Software & Versions: (show all)

CVE-2015-3337  

Directory traversal vulnerability in Elasticsearch before 1.4.5 and 1.5.x before 1.5.2, when a site plugin is enabled, allows remote attackers to read arbitrary files via unspecified vectors.
CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:P/I:P/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2015-5531  

Directory traversal vulnerability in Elasticsearch before 1.6.1 allows remote attackers to read arbitrary files via unspecified vectors related to snapshot API calls.
CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:N

References:

Vulnerable Software & Versions:

fever-mail-0.0.3-SNAPSHOT.jar

File Path: /mnt/sonarshell/projects/udesk-fever-framework_0.0.3/fever-mail/target/fever-mail-0.0.3-SNAPSHOT.jar
MD5: 5d3f4adc03a68a9df754340c77b7d134
SHA1: 1d624d19284d5eb243fb905dcffd674d893e6a9c
SHA256:4c851957418eb13ab6a6dbfb520ca6410ca0710f073847e8fb79996e3f179299

Identifiers

  • pkg:maven/com.github.fanfever/fever-mail@0.0.3-SNAPSHOT  (Confidence:High)
  • cpe:2.3:a:pivotal_software:spring_boot:0.0.3:snapshot:*:*:*:*:*:*  (Confidence:Low)  
  • cpe:2.3:a:pivotal_software:spring_framework:0.0.3:snapshot:*:*:*:*:*:*  (Confidence:Low)  

CVE-2016-9878  

An issue was discovered in Pivotal Spring Framework before 3.2.18, 4.2.x before 4.2.9, and 4.3.x before 4.3.5. Paths provided to the ResourceServlet were not properly sanitized and as a result exposed to directory traversal attacks.
CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:N
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: /AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2017-8046  

Malicious PATCH requests submitted to servers using Spring Data REST versions prior to 2.6.9 (Ingalls SR9), versions prior to 3.0.1 (Kay SR1) and Spring Boot versions prior to 1.5.9, 2.0 M6 can use specially crafted JSON data to run arbitrary Java code.
CWE-20 Improper Input Validation

CVSSv2:
  • Base Score: HIGH (7.5)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: /AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2018-1196  

Spring Boot supports an embedded launch script that can be used to easily run the application as a systemd or init.d linux service. The script included with Spring Boot 1.5.9 and earlier and 2.0.0.M1 through 2.0.0.M7 is susceptible to a symlink attack which allows the "run_user" to overwrite and take ownership of any file on the same system. In order to instigate the attack, the application must be installed as a service and the "run_user" requires shell access to the server. Spring Boot application that are not installed as a service, or are not using the embedded launch script are not susceptible.
CWE-59 Improper Link Resolution Before File Access ('Link Following')

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:N/I:N/A:N
CVSSv3:
  • Base Score: MEDIUM (5.9)
  • Vector: /AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2018-1270  

Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, allow applications to expose STOMP over WebSocket endpoints with a simple, in-memory STOMP broker through the spring-messaging module. A malicious user (or attacker) can craft a message to the broker that can lead to a remote code execution attack.
CWE-358 Improperly Implemented Security Check for Standard

CVSSv2:
  • Base Score: HIGH (7.5)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: /AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2018-1271  

Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, allow applications to configure Spring MVC to serve static resources (e.g. CSS, JS, images). When static resources are served from a file system on Windows (as opposed to the classpath, or the ServletContext), a malicious user can send a request using a specially crafted URL that can lead a directory traversal attack.
CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:P/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (5.9)
  • Vector: /AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2018-1272  

Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, provide client-side support for multipart requests. When Spring MVC or Spring WebFlux server application (server A) receives input from a remote client, and then uses that input to make a multipart request to another server (server B), it can be exposed to an attack, where an extra multipart is inserted in the content of the request from server A, causing server B to use the wrong value for a part it expects. This could to lead privilege escalation, for example, if the part content represents a username or user roles.
NVD-CWE-noinfo

CVSSv2:
  • Base Score: MEDIUM (6.0)
  • Vector: /AV:N/AC:M/Au:S/C:P/I:P/A:P
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: /AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2020-5421  

In Spring Framework versions 5.2.0 - 5.2.8, 5.1.0 - 5.1.17, 5.0.0 - 5.0.18, 4.3.0 - 4.3.28, and older unsupported versions, the protections against RFD attacks from CVE-2015-5211 may be bypassed depending on the browser used through the use of a jsessionid path parameter.
NVD-CWE-noinfo

CVSSv2:
  • Base Score: LOW (3.6)
  • Vector: /AV:N/AC:H/Au:S/C:P/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (6.5)
  • Vector: /AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:H/A:N

References:

Vulnerable Software & Versions: (show all)

fever-metrics-0.0.3-SNAPSHOT.jar

File Path: /mnt/sonarshell/projects/udesk-fever-framework_0.0.3/fever-metrics/target/fever-metrics-0.0.3-SNAPSHOT.jar
MD5: ba4042efc4fba79ae2ec74533c9d4202
SHA1: 59786fecbbd90e86a3f56847611a2dad24415604
SHA256:19ea1da67dc2bdb587b4a8b429094bc5791c7fc8c73ffafc6ed19aaec0106e68

Identifiers

CVE-2016-9878  

An issue was discovered in Pivotal Spring Framework before 3.2.18, 4.2.x before 4.2.9, and 4.3.x before 4.3.5. Paths provided to the ResourceServlet were not properly sanitized and as a result exposed to directory traversal attacks.
CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:N
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: /AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2017-8046  

Malicious PATCH requests submitted to servers using Spring Data REST versions prior to 2.6.9 (Ingalls SR9), versions prior to 3.0.1 (Kay SR1) and Spring Boot versions prior to 1.5.9, 2.0 M6 can use specially crafted JSON data to run arbitrary Java code.
CWE-20 Improper Input Validation

CVSSv2:
  • Base Score: HIGH (7.5)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: /AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2018-1196  

Spring Boot supports an embedded launch script that can be used to easily run the application as a systemd or init.d linux service. The script included with Spring Boot 1.5.9 and earlier and 2.0.0.M1 through 2.0.0.M7 is susceptible to a symlink attack which allows the "run_user" to overwrite and take ownership of any file on the same system. In order to instigate the attack, the application must be installed as a service and the "run_user" requires shell access to the server. Spring Boot application that are not installed as a service, or are not using the embedded launch script are not susceptible.
CWE-59 Improper Link Resolution Before File Access ('Link Following')

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:N/I:N/A:N
CVSSv3:
  • Base Score: MEDIUM (5.9)
  • Vector: /AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2018-1270  

Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, allow applications to expose STOMP over WebSocket endpoints with a simple, in-memory STOMP broker through the spring-messaging module. A malicious user (or attacker) can craft a message to the broker that can lead to a remote code execution attack.
CWE-358 Improperly Implemented Security Check for Standard

CVSSv2:
  • Base Score: HIGH (7.5)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: /AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2018-1271  

Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, allow applications to configure Spring MVC to serve static resources (e.g. CSS, JS, images). When static resources are served from a file system on Windows (as opposed to the classpath, or the ServletContext), a malicious user can send a request using a specially crafted URL that can lead a directory traversal attack.
CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:P/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (5.9)
  • Vector: /AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2018-1272  

Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, provide client-side support for multipart requests. When Spring MVC or Spring WebFlux server application (server A) receives input from a remote client, and then uses that input to make a multipart request to another server (server B), it can be exposed to an attack, where an extra multipart is inserted in the content of the request from server A, causing server B to use the wrong value for a part it expects. This could to lead privilege escalation, for example, if the part content represents a username or user roles.
NVD-CWE-noinfo

CVSSv2:
  • Base Score: MEDIUM (6.0)
  • Vector: /AV:N/AC:M/Au:S/C:P/I:P/A:P
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: /AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2020-5421  

In Spring Framework versions 5.2.0 - 5.2.8, 5.1.0 - 5.1.17, 5.0.0 - 5.0.18, 4.3.0 - 4.3.28, and older unsupported versions, the protections against RFD attacks from CVE-2015-5211 may be bypassed depending on the browser used through the use of a jsessionid path parameter.
NVD-CWE-noinfo

CVSSv2:
  • Base Score: LOW (3.6)
  • Vector: /AV:N/AC:H/Au:S/C:P/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (6.5)
  • Vector: /AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:H/A:N

References:

Vulnerable Software & Versions: (show all)

fever-migration-0.0.3-SNAPSHOT.jar

File Path: /mnt/sonarshell/projects/udesk-fever-framework_0.0.3/fever-migration/target/fever-migration-0.0.3-SNAPSHOT.jar
MD5: 059a0f1263eed5f49bebd8d01234cd0b
SHA1: 78a59657bac6ffd46ef8f37ef278f07efcbfd331
SHA256:3f8beeeecb9424bf68617120529e9fc69286b7cf0020c14cd118877fd8413e34

Identifiers

CVE-2016-9878  

An issue was discovered in Pivotal Spring Framework before 3.2.18, 4.2.x before 4.2.9, and 4.3.x before 4.3.5. Paths provided to the ResourceServlet were not properly sanitized and as a result exposed to directory traversal attacks.
CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:N
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: /AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2017-8046  

Malicious PATCH requests submitted to servers using Spring Data REST versions prior to 2.6.9 (Ingalls SR9), versions prior to 3.0.1 (Kay SR1) and Spring Boot versions prior to 1.5.9, 2.0 M6 can use specially crafted JSON data to run arbitrary Java code.
CWE-20 Improper Input Validation

CVSSv2:
  • Base Score: HIGH (7.5)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: /AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2018-1196  

Spring Boot supports an embedded launch script that can be used to easily run the application as a systemd or init.d linux service. The script included with Spring Boot 1.5.9 and earlier and 2.0.0.M1 through 2.0.0.M7 is susceptible to a symlink attack which allows the "run_user" to overwrite and take ownership of any file on the same system. In order to instigate the attack, the application must be installed as a service and the "run_user" requires shell access to the server. Spring Boot application that are not installed as a service, or are not using the embedded launch script are not susceptible.
CWE-59 Improper Link Resolution Before File Access ('Link Following')

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:N/I:N/A:N
CVSSv3:
  • Base Score: MEDIUM (5.9)
  • Vector: /AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2018-1270  

Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, allow applications to expose STOMP over WebSocket endpoints with a simple, in-memory STOMP broker through the spring-messaging module. A malicious user (or attacker) can craft a message to the broker that can lead to a remote code execution attack.
CWE-358 Improperly Implemented Security Check for Standard

CVSSv2:
  • Base Score: HIGH (7.5)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: /AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2018-1271  

Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, allow applications to configure Spring MVC to serve static resources (e.g. CSS, JS, images). When static resources are served from a file system on Windows (as opposed to the classpath, or the ServletContext), a malicious user can send a request using a specially crafted URL that can lead a directory traversal attack.
CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:P/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (5.9)
  • Vector: /AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2018-1272  

Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, provide client-side support for multipart requests. When Spring MVC or Spring WebFlux server application (server A) receives input from a remote client, and then uses that input to make a multipart request to another server (server B), it can be exposed to an attack, where an extra multipart is inserted in the content of the request from server A, causing server B to use the wrong value for a part it expects. This could to lead privilege escalation, for example, if the part content represents a username or user roles.
NVD-CWE-noinfo

CVSSv2:
  • Base Score: MEDIUM (6.0)
  • Vector: /AV:N/AC:M/Au:S/C:P/I:P/A:P
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: /AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2020-5421  

In Spring Framework versions 5.2.0 - 5.2.8, 5.1.0 - 5.1.17, 5.0.0 - 5.0.18, 4.3.0 - 4.3.28, and older unsupported versions, the protections against RFD attacks from CVE-2015-5211 may be bypassed depending on the browser used through the use of a jsessionid path parameter.
NVD-CWE-noinfo

CVSSv2:
  • Base Score: LOW (3.6)
  • Vector: /AV:N/AC:H/Au:S/C:P/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (6.5)
  • Vector: /AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:H/A:N

References:

Vulnerable Software & Versions: (show all)

fever-search-0.0.3-SNAPSHOT.jar

File Path: /mnt/sonarshell/projects/udesk-fever-framework_0.0.3/fever-search/target/fever-search-0.0.3-SNAPSHOT.jar
MD5: 3582587635696f7462459f4aec1d2056
SHA1: 5d24af924954c12f4ce986f3ca1a90b49d7a539c
SHA256:2bbba5c8732a4b9bf95aba122d436d919dd5218ef6efe74535b633b058413fda

Identifiers

CVE-2008-0199  

PRO-Search 0.17 and earlier allows remote attackers to cause a denial of service via certain values of the show_page and time parameters to the default URI.
CWE-20 Improper Input Validation

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:P

References:

Vulnerable Software & Versions:

CVE-2008-0207  

Multiple cross-site scripting (XSS) vulnerabilities in PRO-Search 0.17 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) prot, (2) host, (3) path, (4) name, (5) ext, (6) size, (7) search_days, or (8) show_page parameter to the default URI.
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:N/I:N/A:N

References:

Vulnerable Software & Versions:

fever-shiro-redis-0.0.3-SNAPSHOT.jar

Description:

An implement of redis cache can be used by shiro. 

File Path: /mnt/sonarshell/projects/udesk-fever-framework_0.0.3/fever-shiro-redis/target/fever-shiro-redis-0.0.3-SNAPSHOT.jar
MD5: dc87ed5d0be2bad9f8b39e79f6902a5e
SHA1: e722311dd25b8e4ba78727f4f9d5428f4b716b84
SHA256:e8c85ac8055de89d5f3de02093e6811fa3e5aca213cc8a4602262479431601d6

Identifiers

CVE-2016-9878  

An issue was discovered in Pivotal Spring Framework before 3.2.18, 4.2.x before 4.2.9, and 4.3.x before 4.3.5. Paths provided to the ResourceServlet were not properly sanitized and as a result exposed to directory traversal attacks.
CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:N
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: /AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2017-8046  

Malicious PATCH requests submitted to servers using Spring Data REST versions prior to 2.6.9 (Ingalls SR9), versions prior to 3.0.1 (Kay SR1) and Spring Boot versions prior to 1.5.9, 2.0 M6 can use specially crafted JSON data to run arbitrary Java code.
CWE-20 Improper Input Validation

CVSSv2:
  • Base Score: HIGH (7.5)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: /AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2018-1196  

Spring Boot supports an embedded launch script that can be used to easily run the application as a systemd or init.d linux service. The script included with Spring Boot 1.5.9 and earlier and 2.0.0.M1 through 2.0.0.M7 is susceptible to a symlink attack which allows the "run_user" to overwrite and take ownership of any file on the same system. In order to instigate the attack, the application must be installed as a service and the "run_user" requires shell access to the server. Spring Boot application that are not installed as a service, or are not using the embedded launch script are not susceptible.
CWE-59 Improper Link Resolution Before File Access ('Link Following')

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:N/I:N/A:N
CVSSv3:
  • Base Score: MEDIUM (5.9)
  • Vector: /AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2018-1270  

Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, allow applications to expose STOMP over WebSocket endpoints with a simple, in-memory STOMP broker through the spring-messaging module. A malicious user (or attacker) can craft a message to the broker that can lead to a remote code execution attack.
CWE-358 Improperly Implemented Security Check for Standard

CVSSv2:
  • Base Score: HIGH (7.5)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: /AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2018-1271  

Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, allow applications to configure Spring MVC to serve static resources (e.g. CSS, JS, images). When static resources are served from a file system on Windows (as opposed to the classpath, or the ServletContext), a malicious user can send a request using a specially crafted URL that can lead a directory traversal attack.
CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:P/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (5.9)
  • Vector: /AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2018-1272  

Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, provide client-side support for multipart requests. When Spring MVC or Spring WebFlux server application (server A) receives input from a remote client, and then uses that input to make a multipart request to another server (server B), it can be exposed to an attack, where an extra multipart is inserted in the content of the request from server A, causing server B to use the wrong value for a part it expects. This could to lead privilege escalation, for example, if the part content represents a username or user roles.
NVD-CWE-noinfo

CVSSv2:
  • Base Score: MEDIUM (6.0)
  • Vector: /AV:N/AC:M/Au:S/C:P/I:P/A:P
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: /AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2020-5421  

In Spring Framework versions 5.2.0 - 5.2.8, 5.1.0 - 5.1.17, 5.0.0 - 5.0.18, 4.3.0 - 4.3.28, and older unsupported versions, the protections against RFD attacks from CVE-2015-5211 may be bypassed depending on the browser used through the use of a jsessionid path parameter.
NVD-CWE-noinfo

CVSSv2:
  • Base Score: LOW (3.6)
  • Vector: /AV:N/AC:H/Au:S/C:P/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (6.5)
  • Vector: /AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:H/A:N

References:

Vulnerable Software & Versions: (show all)

fever-sms-http-0.0.3-SNAPSHOT.jar

File Path: /mnt/sonarshell/projects/udesk-fever-framework_0.0.3/fever-sms-http/target/fever-sms-http-0.0.3-SNAPSHOT.jar
MD5: ae803ee2d64f775536faaed5c52bd453
SHA1: 463dacceabb44f104b97d7605e511430f6b4617e
SHA256:f9d68cb690488b5d50709ed4c99e1d3ec10e713674bbd09ba397d71fca62c1fa

Identifiers

CVE-2005-2311  

SMS 1.9.2m and earlier allows local users to overwrite arbitrary files via a symlink attack on the (1) request1 or (2) request2 temporary files.
NVD-CWE-Other

CVSSv2:
  • Base Score: LOW (2.1)
  • Vector: /AV:L/AC:L/Au:N/C:N/I:N/A:N

References:

Vulnerable Software & Versions:

fever-upload-0.0.3-SNAPSHOT.jar

File Path: /mnt/sonarshell/projects/udesk-fever-framework_0.0.3/fever-upload/target/fever-upload-0.0.3-SNAPSHOT.jar
MD5: 7119171b12b8f4f39f4398a4ceba1b2b
SHA1: b694902c54ca460076b645122faadae0f79a4b00
SHA256:0c01a53b1ac0086f6152f35c45604acbc4ff828624ea1539198dc47b9bc6d7df

Identifiers

CVE-2016-9878  

An issue was discovered in Pivotal Spring Framework before 3.2.18, 4.2.x before 4.2.9, and 4.3.x before 4.3.5. Paths provided to the ResourceServlet were not properly sanitized and as a result exposed to directory traversal attacks.
CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:N
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: /AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2017-8046  

Malicious PATCH requests submitted to servers using Spring Data REST versions prior to 2.6.9 (Ingalls SR9), versions prior to 3.0.1 (Kay SR1) and Spring Boot versions prior to 1.5.9, 2.0 M6 can use specially crafted JSON data to run arbitrary Java code.
CWE-20 Improper Input Validation

CVSSv2:
  • Base Score: HIGH (7.5)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: /AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2018-1196  

Spring Boot supports an embedded launch script that can be used to easily run the application as a systemd or init.d linux service. The script included with Spring Boot 1.5.9 and earlier and 2.0.0.M1 through 2.0.0.M7 is susceptible to a symlink attack which allows the "run_user" to overwrite and take ownership of any file on the same system. In order to instigate the attack, the application must be installed as a service and the "run_user" requires shell access to the server. Spring Boot application that are not installed as a service, or are not using the embedded launch script are not susceptible.
CWE-59 Improper Link Resolution Before File Access ('Link Following')

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:N/I:N/A:N
CVSSv3:
  • Base Score: MEDIUM (5.9)
  • Vector: /AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2018-1270  

Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, allow applications to expose STOMP over WebSocket endpoints with a simple, in-memory STOMP broker through the spring-messaging module. A malicious user (or attacker) can craft a message to the broker that can lead to a remote code execution attack.
CWE-358 Improperly Implemented Security Check for Standard

CVSSv2:
  • Base Score: HIGH (7.5)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: /AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2018-1271  

Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, allow applications to configure Spring MVC to serve static resources (e.g. CSS, JS, images). When static resources are served from a file system on Windows (as opposed to the classpath, or the ServletContext), a malicious user can send a request using a specially crafted URL that can lead a directory traversal attack.
CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:P/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (5.9)
  • Vector: /AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2018-1272  

Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, provide client-side support for multipart requests. When Spring MVC or Spring WebFlux server application (server A) receives input from a remote client, and then uses that input to make a multipart request to another server (server B), it can be exposed to an attack, where an extra multipart is inserted in the content of the request from server A, causing server B to use the wrong value for a part it expects. This could to lead privilege escalation, for example, if the part content represents a username or user roles.
NVD-CWE-noinfo

CVSSv2:
  • Base Score: MEDIUM (6.0)
  • Vector: /AV:N/AC:M/Au:S/C:P/I:P/A:P
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: /AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2020-5421  

In Spring Framework versions 5.2.0 - 5.2.8, 5.1.0 - 5.1.17, 5.0.0 - 5.0.18, 4.3.0 - 4.3.28, and older unsupported versions, the protections against RFD attacks from CVE-2015-5211 may be bypassed depending on the browser used through the use of a jsessionid path parameter.
NVD-CWE-noinfo

CVSSv2:
  • Base Score: LOW (3.6)
  • Vector: /AV:N/AC:H/Au:S/C:P/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (6.5)
  • Vector: /AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:H/A:N

References:

Vulnerable Software & Versions: (show all)

fever-web-0.0.3-SNAPSHOT.jar

File Path: /mnt/sonarshell/projects/udesk-fever-framework_0.0.3/fever-web/target/fever-web-0.0.3-SNAPSHOT.jar
MD5: 83d5561c1fd3344803681436e5843151
SHA1: 5c65ae00a4927c0743853f9d9906da06d8663482
SHA256:d1ec8bc8800b97f3df8121ff03141b9ec51cce3a895c0d027c3f6f769fdb3d5d

Identifiers

  • pkg:maven/com.github.fanfever/fever-web@0.0.3-SNAPSHOT  (Confidence:High)
  • cpe:2.3:a:pivotal_software:spring_boot:0.0.3:snapshot:*:*:*:*:*:*  (Confidence:Low)  
  • cpe:2.3:a:pivotal_software:spring_framework:0.0.3:snapshot:*:*:*:*:*:*  (Confidence:Low)  

CVE-2016-9878  

An issue was discovered in Pivotal Spring Framework before 3.2.18, 4.2.x before 4.2.9, and 4.3.x before 4.3.5. Paths provided to the ResourceServlet were not properly sanitized and as a result exposed to directory traversal attacks.
CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:N
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: /AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2017-8046  

Malicious PATCH requests submitted to servers using Spring Data REST versions prior to 2.6.9 (Ingalls SR9), versions prior to 3.0.1 (Kay SR1) and Spring Boot versions prior to 1.5.9, 2.0 M6 can use specially crafted JSON data to run arbitrary Java code.
CWE-20 Improper Input Validation

CVSSv2:
  • Base Score: HIGH (7.5)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: /AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2018-1196  

Spring Boot supports an embedded launch script that can be used to easily run the application as a systemd or init.d linux service. The script included with Spring Boot 1.5.9 and earlier and 2.0.0.M1 through 2.0.0.M7 is susceptible to a symlink attack which allows the "run_user" to overwrite and take ownership of any file on the same system. In order to instigate the attack, the application must be installed as a service and the "run_user" requires shell access to the server. Spring Boot application that are not installed as a service, or are not using the embedded launch script are not susceptible.
CWE-59 Improper Link Resolution Before File Access ('Link Following')

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:N/I:N/A:N
CVSSv3:
  • Base Score: MEDIUM (5.9)
  • Vector: /AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2018-1270  

Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, allow applications to expose STOMP over WebSocket endpoints with a simple, in-memory STOMP broker through the spring-messaging module. A malicious user (or attacker) can craft a message to the broker that can lead to a remote code execution attack.
CWE-358 Improperly Implemented Security Check for Standard

CVSSv2:
  • Base Score: HIGH (7.5)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: /AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2018-1271  

Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, allow applications to configure Spring MVC to serve static resources (e.g. CSS, JS, images). When static resources are served from a file system on Windows (as opposed to the classpath, or the ServletContext), a malicious user can send a request using a specially crafted URL that can lead a directory traversal attack.
CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:P/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (5.9)
  • Vector: /AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2018-1272  

Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, provide client-side support for multipart requests. When Spring MVC or Spring WebFlux server application (server A) receives input from a remote client, and then uses that input to make a multipart request to another server (server B), it can be exposed to an attack, where an extra multipart is inserted in the content of the request from server A, causing server B to use the wrong value for a part it expects. This could to lead privilege escalation, for example, if the part content represents a username or user roles.
NVD-CWE-noinfo

CVSSv2:
  • Base Score: MEDIUM (6.0)
  • Vector: /AV:N/AC:M/Au:S/C:P/I:P/A:P
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: /AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2020-5421  

In Spring Framework versions 5.2.0 - 5.2.8, 5.1.0 - 5.1.17, 5.0.0 - 5.0.18, 4.3.0 - 4.3.28, and older unsupported versions, the protections against RFD attacks from CVE-2015-5211 may be bypassed depending on the browser used through the use of a jsessionid path parameter.
NVD-CWE-noinfo

CVSSv2:
  • Base Score: LOW (3.6)
  • Vector: /AV:N/AC:H/Au:S/C:P/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (6.5)
  • Vector: /AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:H/A:N

References:

Vulnerable Software & Versions: (show all)

file-management-1.2.1.jar

Description:

API to collect files from a given directory using several include/exclude rules.

File Path: /mnt/sonarshell/projects/udesk-fever-framework_0.0.3/fever-parent/target/dependency/file-management-1.2.1.jar
MD5: 8ff176dd87a81b6fe54b47bc10136656
SHA1: 8f98bcaa7fd3625a172fd3de10bba8c32b9820ea
SHA256:009478892149c0141645276d2c74094e7db595a48765b74834565b1dd25b454e

Identifiers

fluent-hc-4.5.3.jar

Description:

   Apache HttpComponents Client fluent API
  

File Path: /mnt/sonarshell/projects/udesk-fever-framework_0.0.3/fever-mail/target/dependency/fluent-hc-4.5.3.jar
MD5: 902baa6df5f6d20f96d03a7b3453d1ad
SHA1: 76487e3a4fa77b2dd6cb1927ea423e220d7efbab
SHA256:7047412674c28bac2fac86548f94eec19ecc84ac54e055b756f78839fcaff1e4

Identifiers

fluent-validator-1.0.5.jar

Description:

A simple Java validation framework leveraging fluent interface style and JSR 303 specification
    

File Path: /mnt/sonarshell/projects/udesk-fever-framework_0.0.3/fever-web/target/dependency/fluent-validator-1.0.5.jar
MD5: e47ed612b502e4ccfd786f3e50b20aa8
SHA1: a8c53431fbef942e74e664b2c02d4291c34117b3
SHA256:3aa509f18bdc40496f5362ebcbbf1a8137d6ac94658a3d7dc9a1898e596a6c38

Identifiers

fluent-validator-jsr303-1.0.5.jar

Description:

A simple Java validation framework leveraging fluent interface style and JSR 303 specification
    

File Path: /mnt/sonarshell/projects/udesk-fever-framework_0.0.3/fever-web/target/dependency/fluent-validator-jsr303-1.0.5.jar
MD5: 632c4e55f64a8ac4e98836cb28547ba8
SHA1: 98634cbd3891c6323854743bcfc546b6d7782671
SHA256:2f8a67618c64992851ba3ab4299c20ad388b015816d2c34bff0b2fa373357241

Identifiers

fluent-validator-spring-1.0.5.jar

Description:

A simple Java validation framework leveraging fluent interface style and JSR 303 specification
    

File Path: /mnt/sonarshell/projects/udesk-fever-framework_0.0.3/fever-web/target/dependency/fluent-validator-spring-1.0.5.jar
MD5: 76422bad11c592d626193e6ff1935ce1
SHA1: 381e3509590d48e0a142ddc49f25e134c1277d73
SHA256:db89e3d1ae20b2f3eaa3cc67ae17387ac25c28f505103ca2082b16bd79557efb

Identifiers

flyway-core-3.2.1.jar

Description:

Flyway: Database Migrations Made Easy.

License:

Apache License, Version 2.0: https://github.com/flyway/flyway/blob/master/LICENSE.txt
File Path: /mnt/sonarshell/projects/udesk-fever-framework_0.0.3/fever-migration/target/dependency/flyway-core-3.2.1.jar
MD5: 86ffc06045433c1e8178c0af02903a07
SHA1: 88347e9a484152e9b80fbad7648d1b552a8cff78
SHA256:81e069eecd8632078cce93f2faa96c1704c568cfa242210f894c55dcee626c94

Identifiers

gherkin-2.12.2.jar

Description:

Pure Java Gherkin

License:

MIT License: http://www.opensource.org/licenses/mit-license
File Path: /mnt/sonarshell/projects/udesk-fever-framework_0.0.3/fever-web/target/dependency/gherkin-2.12.2.jar
MD5: 4f9d2052404a4dd642714c345e389f64
SHA1: 017138631fa20fd0e44a13e50d6b7be59cee1a94
SHA256:0a5ebc0506ab1e4a08af1ca150f797304ff53b953c5b1f6fcf1f81551d964aad

Identifiers

guava-21.0.jar

Description:

    Guava is a suite of core and expanded libraries that include
    utility classes, google's collections, io classes, and much
    much more.

    Guava has only one code dependency - javax.annotation,
    per the JSR-305 spec.
  

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /mnt/sonarshell/projects/udesk-fever-framework_0.0.3/fever-common/target/dependency/guava-21.0.jar
MD5: ddc91fd850fa6177c91aab5d4e4d1fa6
SHA1: 3a3d111be1be1b745edfa7d91678a12d7ed38709
SHA256:972139718abc8a4893fa78cba8cf7b2c903f35c97aaf44fa3031b0669948b480

Identifiers

CVE-2018-10237  

Unbounded memory allocation in Google Guava 11.0 through 24.x before 24.1.1 allows remote attackers to conduct denial of service attacks against servers that depend on this library and deserialize attacker-provided data, because the AtomicDoubleArray class (when serialized with Java serialization) and the CompoundOrdering class (when serialized with GWT serialization) perform eager allocation without appropriate checks on what a client has sent and whether the data size is reasonable.
CWE-502 Deserialization of Untrusted Data

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:N/I:N/A:P
CVSSv3:
  • Base Score: MEDIUM (5.9)
  • Vector: /AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions: (show all)

h2-1.4.193.jar

Description:

H2 Database Engine

License:

MPL 2.0 or EPL 1.0: http://h2database.com/html/license.html
File Path: /mnt/sonarshell/projects/udesk-fever-framework_0.0.3/fever-metrics/target/dependency/h2-1.4.193.jar
MD5: 4bb66a982f387e617e0e406f3b6de2cf
SHA1: 369b51e2090c4e6714d9d5e42010b6330c2cea26
SHA256:b1cf34c64871014aa73580281cc464dfa72450d8860cc0752fc175e87edd6544

Identifiers

h2-1.4.193.jar: data.zip: table.js

File Path: /mnt/sonarshell/projects/udesk-fever-framework_0.0.3/fever-metrics/target/dependency/h2-1.4.193.jar/org/h2/util/data.zip/org/h2/server/web/res/table.js
MD5: a914a66de53dcdeb39684f1ce8ce8527
SHA1: c41ef5fb193ac25622f4e129470339aec24d731a
SHA256:8c5b079b38e94718bb58a71b0e310bad6c1004670a19c1bc0f63b32fdd81134a

Identifiers

  • None

h2-1.4.193.jar: data.zip: tree.js

File Path: /mnt/sonarshell/projects/udesk-fever-framework_0.0.3/fever-metrics/target/dependency/h2-1.4.193.jar/org/h2/util/data.zip/org/h2/server/web/res/tree.js
MD5: 495277155635a72b0c69f987d938b6e1
SHA1: 446cad47e33a62baf330ee5200646b5ccb9c0df9
SHA256:14c797bd700570c38e8af1aa50ecea205a385be466ec9431e46dbe586ce7a61c

Identifiers

  • None

hamcrest-core-1.3.jar

Description:

    This is the core API of hamcrest matcher framework to be used by third-party framework providers. This includes the a foundation set of matcher implementations for common operations.
  

File Path: /mnt/sonarshell/projects/udesk-fever-framework_0.0.3/fever-web/target/dependency/hamcrest-core-1.3.jar
MD5: 6393363b47ddcbba82321110c3e07519
SHA1: 42a25dc3219429f0e5d060061f71acb49bf010a0
SHA256:66fdef91e9739348df7a096aa384a5685f4e875584cce89386a7a47251c4d8e9

Identifiers

hamcrest-library-1.3.jar

Description:

    Hamcrest library of matcher implementations.
  

License:

GraphDB Free License: http://graphdb.ontotext.com/LICENSE-GraphDB-Free.txt
File Path: /mnt/sonarshell/projects/udesk-fever-framework_0.0.3/fever-elasticsearch/target/dependency/hamcrest-library-1.3.jar
MD5: 110ad2ea84f7031a1798648b6b318e79
SHA1: 4785a3c21320980282f9f33d0d1264a69040538f
SHA256:711d64522f9ec410983bd310934296da134be4254a125080a0416ec178dfad1c

Identifiers

hazelcast-3.7.5.jar

Description:

Core Hazelcast Module

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /mnt/sonarshell/projects/udesk-fever-framework_0.0.3/fever-sms-http/target/dependency/hazelcast-3.7.5.jar
MD5: a21298b08d3d5a8949afcea8c8996f1e
SHA1: d74eee1a50adbc48c974c0fac3984b9f2e3ff676
SHA256:dfc041f47af13dcad307503e7c050dfd36aef301096426ffd3eeb571c53e86ca

Identifiers

CVE-2016-10750  

In Hazelcast before 3.11, the cluster join procedure is vulnerable to remote code execution via Java deserialization. If an attacker can reach a listening Hazelcast instance with a crafted JoinRequest, and vulnerable classes exist in the classpath, the attacker can run arbitrary code.
CWE-502 Deserialization of Untrusted Data

CVSSv2:
  • Base Score: MEDIUM (6.8)
  • Vector: /AV:N/AC:M/Au:N/C:P/I:P/A:P
CVSSv3:
  • Base Score: HIGH (8.1)
  • Vector: /AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions:

hazelcast-3.7.5.jar (shaded: com.eclipsesource.minimal-json:minimal-json:0.9.2-SNAPSHOT)

Description:

A Minimal JSON Parser and Writer

License:

MIT License: http://opensource.org/licenses/MIT
File Path: /mnt/sonarshell/projects/udesk-fever-framework_0.0.3/fever-sms-http/target/dependency/hazelcast-3.7.5.jar/META-INF/maven/com.eclipsesource.minimal-json/minimal-json/pom.xml
MD5: ae5eb6ecf5f051dd566d8f2c6af93440
SHA1: 639ffcaea95015a3f940cebd93608c5c1976cea1
SHA256:6684c9ccba201852e46f6d4adb0845ee362240ec910504ee31b4be6b4e06be3c

Identifiers

hazelcast-3.7.5.jar (shaded: com.hazelcast:hazelcast-client-protocol:1.3.3)

Description:

Core Hazelcast Module

File Path: /mnt/sonarshell/projects/udesk-fever-framework_0.0.3/fever-sms-http/target/dependency/hazelcast-3.7.5.jar/META-INF/maven/com.hazelcast/hazelcast-client-protocol/pom.xml
MD5: 525e34481def2215e0dbf8a215aa6104
SHA1: 674c055f4ef6b69163b8a44345d64dcc7a9846b7
SHA256:0c054110a639d8d7b12565b4d6c10f76769f26770a74da9e8554e590a1a60d83

Identifiers

CVE-2016-10750  

In Hazelcast before 3.11, the cluster join procedure is vulnerable to remote code execution via Java deserialization. If an attacker can reach a listening Hazelcast instance with a crafted JoinRequest, and vulnerable classes exist in the classpath, the attacker can run arbitrary code.
CWE-502 Deserialization of Untrusted Data

CVSSv2:
  • Base Score: MEDIUM (6.8)
  • Vector: /AV:N/AC:M/Au:N/C:P/I:P/A:P
CVSSv3:
  • Base Score: HIGH (8.1)
  • Vector: /AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions:

hibernate-validator-5.3.4.Final.jar

Description:

Hibernate's Bean Validation (JSR-303) reference implementation.

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /mnt/sonarshell/projects/udesk-fever-framework_0.0.3/fever-config-center/target/dependency/hibernate-validator-5.3.4.Final.jar
MD5: 540c4f2374a74674f00e2f2691bb2cce
SHA1: 2f6c8c0b646afe18e3ad205726729d3c4a85fe2e
SHA256:b87d88d4faee39fb7aad20715d79b49c07c2b915df05faccb002bfcf0cb1f0e5

Identifiers

hppc-0.7.1.jar

Description:

High Performance Primitive Collections. 
  Fundamental data structures (maps, sets, lists, stacks, queues) generated for
  combinations of object and primitive types to conserve JVM memory and speed
  up execution.

File Path: /mnt/sonarshell/projects/udesk-fever-framework_0.0.3/fever-batch/target/dependency/hppc-0.7.1.jar
MD5: 2ff89be5b49144c330190cf7137c3a26
SHA1: 8b5057f74ea378c0150a1860874a3ebdcb713767
SHA256:40d2a57f59e9eae7b018d3b4841954087ee40a5c1db6a54c3ea87742e3890391

Identifiers

httpasyncclient-4.1.3.jar

Description:

   Apache HttpComponents AsyncClient
  

File Path: /mnt/sonarshell/projects/udesk-fever-framework_0.0.3/fever-search/target/dependency/httpasyncclient-4.1.3.jar
MD5: 73d4a443918f4f7124339d2161e2ae54
SHA1: 34c56f43fd3255fc239ffe33d0fbfb8195be6a24
SHA256:2865d141cf21418e9f70f886cdd92d2e2e9a52d636ddffe3a3aaae4e9c70d0a2

Identifiers

httpclient-4.5.3.jar

Description:

   Apache HttpComponents Client
  

File Path: /mnt/sonarshell/projects/udesk-fever-framework_0.0.3/fever-search/target/dependency/httpclient-4.5.3.jar
MD5: 1965ebb7aca0f9f8faaed3870d8cf689
SHA1: d1577ae15f01ef5438c5afc62162457c00a34713
SHA256:db3d1b6c2d6a5e5ad47577ad61854e2f0e0936199b8e05eb541ed52349263135

Identifiers

httpcore-4.4.6.jar

Description:

   Apache HttpComponents Core (blocking I/O)
  

File Path: /mnt/sonarshell/projects/udesk-fever-framework_0.0.3/fever-mail/target/dependency/httpcore-4.4.6.jar
MD5: a9fbd503e0802507efeeaffb56bbdf52
SHA1: e3fd8ced1f52c7574af952e2e6da0df8df08eb82
SHA256:d7f853dee87680b07293d30855b39b9eb56c1297bd16ff1cd6f19ddb8fa745fb

Identifiers

httpcore-nio-4.4.5.jar

Description:

   Apache HttpComponents Core (non-blocking I/O)
  

File Path: /mnt/sonarshell/projects/udesk-fever-framework_0.0.3/fever-search/target/dependency/httpcore-nio-4.4.5.jar
MD5: e570d76d11b6fdf941173ab78ae4288b
SHA1: f4be009e7505f6ceddf21e7960c759f413f15056
SHA256:9da82cfb9f50318333d3892e00904f3b74af0825f0f6de32eea7090a2565d0d1

Identifiers

httpmime-4.5.3.jar

Description:

   Apache HttpComponents HttpClient - MIME coded entities
  

File Path: /mnt/sonarshell/projects/udesk-fever-framework_0.0.3/fever-mail/target/dependency/httpmime-4.5.3.jar
MD5: a00b6287cab2ad554ae3cbdbe983dc88
SHA1: 889fd6d061bb63b99dd5c6aba35a555ae863de52
SHA256:b4865b79a3aaeef794220b532bc7b07f793fa4aad90c29e83cab2b835cd8ee06

Identifiers

hystrix-core-1.5.10.jar

Description:

hystrix-core

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /mnt/sonarshell/projects/udesk-fever-framework_0.0.3/fever-metrics/target/dependency/hystrix-core-1.5.10.jar
MD5: 69aa77b66258c806392c22791226c53a
SHA1: cd46dd2533138019a0473ed16a333aaea4d4b7de
SHA256:21efe0d01e2c2e736b48d98e0cfaca9ed5e6520edf8962214e242bea548e5f86

Identifiers

CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (OSSINDEX)  

The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv3:
  • Base Score: MEDIUM (6.1)
  • Vector: /AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References:

Vulnerable Software & Versions (OSSINDEX):

  • cpe:2.3:a:com.netflix.hystrix:hystrix-core:1.5.10:*:*:*:*:*:*:*

jackson-annotations-2.8.0.jar

Description:

Core annotations used for value types, used by Jackson data binding package.
  

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /mnt/sonarshell/projects/udesk-fever-framework_0.0.3/fever-web/target/dependency/jackson-annotations-2.8.0.jar
MD5: 288e6537849f0c63e76409b515c4fbe4
SHA1: 45b426f7796b741035581a176744d91090e2e6fb
SHA256:e61b7343aceeb6ecda291d4ef133cd3e765f178c631c357ffd081abab7f15db8

Identifiers

jackson-core-2.8.7.jar

Description:

Core Jackson abstractions, basic JSON streaming API implementation

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /mnt/sonarshell/projects/udesk-fever-framework_0.0.3/fever-search/target/dependency/jackson-core-2.8.7.jar
MD5: 18507133d5fc96dee39186b6d44d148e
SHA1: 8b46f39c78476fb848c81a49fa807a9e9506dddd
SHA256:256ff34118ab292d1b4f3ee4d2c3e5e5f0f609d8e07c57e8ad1f51c46d4fbb46

Identifiers

jackson-core-asl-1.9.11.jar

Description:

Jackson is a high-performance JSON processor (parser, generator)

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /mnt/sonarshell/projects/udesk-fever-framework_0.0.3/fever-metrics/target/dependency/jackson-core-asl-1.9.11.jar
MD5: 49801a6d43725d5c3a1a52ca021d7dc5
SHA1: e32303ef8bd18a5c9272780d49b81c95e05ddf43
SHA256:5fb6924b888550a9b0e8420747a93cc4ad24e03e724dcf4934c30cc0c4882ffc

Identifiers

jackson-coreutils-1.6.jar

Description:

null

License:

Lesser General Public License, version 3 or greater: http://www.gnu.org/licenses/lgpl.html
Apache Software License, version 2.0: http://www.apache.org/licenses/LICENSE-2.0
File Path: /mnt/sonarshell/projects/udesk-fever-framework_0.0.3/fever-web/target/dependency/jackson-coreutils-1.6.jar
MD5: 26a6b351813e2895cba18e0ee4abe5b7
SHA1: 9e6af56eb7cc2a65700b289abc7ee2bd170fd231
SHA256:d84b416924fb061a26c48a5c90e98cf4d4e718179eb1df702aa8f1021163eed6

Identifiers

jackson-databind-2.9.10.6.jar

Description:

General data-binding functionality for Jackson: works on core streaming API

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /mnt/sonarshell/projects/udesk-fever-framework_0.0.3/fever-migration/target/dependency/jackson-databind-2.9.10.6.jar
MD5: 16a6e3c655806bddeb0663ed6435b07e
SHA1: fbe40c0535b836082be7e3f8cac79275b9c8ff4a
SHA256:a2885687e7856c09923ecce53eb10d131f4339958b18ff111e2d66c5be7453da

Identifiers

jackson-dataformat-cbor-2.8.7.jar

Description:

Support for reading and writing Concise Binary Object Representation
([CBOR](https://www.rfc-editor.org/info/rfc7049)
encoded data using Jackson abstractions (streaming API, data binding, tree model)
  

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /mnt/sonarshell/projects/udesk-fever-framework_0.0.3/fever-elasticsearch/target/dependency/jackson-dataformat-cbor-2.8.7.jar
MD5: a888ae9515c9be1605e6dd3081f56430
SHA1: c63d6021cbdc3683cb0c48da81660bc15f1adeba
SHA256:3929804834b88ba82e3ae49f213d34174fda4464de8ffc7124cf465d96a4fef1

Identifiers

jackson-datatype-joda-2.8.7.jar

Description:

Add-on module for Jackson (http://jackson.codehaus.org) to support
Joda (http://joda-time.sourceforge.net/) data types.
  

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /mnt/sonarshell/projects/udesk-fever-framework_0.0.3/fever-web/target/dependency/jackson-datatype-joda-2.8.7.jar
MD5: 06b7fc1f84217b4247bf59c3303c4c13
SHA1: 66c64b58f3984b62b191f56c0e4d7ea63fedd1d5
SHA256:dc11f4025d16e67baec43e72efd8509b9bca7860cb6ecbad66a93716cf152f35

Identifiers

jackson-mapper-asl-1.9.11.jar

Description:

Data Mapper package is a high-performance data binding package
built on Jackson JSON processor

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /mnt/sonarshell/projects/udesk-fever-framework_0.0.3/fever-metrics/target/dependency/jackson-mapper-asl-1.9.11.jar
MD5: 8f10143a94de3e786dd53db10fa54598
SHA1: 45d70862fa016993193075a1e8e32a01dcf438e8
SHA256:246ee4dcb26cb040608eab5d978efe2618564568923c0a98e6118f8858b31def

Identifiers

CVE-2017-15095 (OSSINDEX)  

A deserialization flaw was discovered in the jackson-databind in versions before 2.8.10 and 2.9.1, which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper. This issue extends the previous flaw CVE-2017-7525 by blacklisting more classes that could be used maliciously.
CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: /AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions (OSSINDEX):

  • cpe:2.3:a:org.codehaus.jackson:jackson-mapper-asl:1.9.11:*:*:*:*:*:*:*

CVE-2017-17485 (OSSINDEX)  

FasterXML jackson-databind through 2.8.10 and 2.9.x through 2.9.3 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the Spring libraries are available in the classpath.
CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: /AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions (OSSINDEX):

  • cpe:2.3:a:org.codehaus.jackson:jackson-mapper-asl:1.9.11:*:*:*:*:*:*:*

CVE-2017-7525 (OSSINDEX)  

A deserialization flaw was discovered in the jackson-databind, versions before 2.6.7.1, 2.7.9.1 and 2.8.9, which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper.
CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: /AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions (OSSINDEX):

  • cpe:2.3:a:org.codehaus.jackson:jackson-mapper-asl:1.9.11:*:*:*:*:*:*:*

CVE-2018-1000873 (OSSINDEX)  

Fasterxml Jackson version Before 2.9.8 contains a CWE-20: Improper Input Validation vulnerability in Jackson-Modules-Java8 that can result in Causes a denial-of-service (DoS). This attack appear to be exploitable via The victim deserializes malicious input, specifically very large values in the nanoseconds field of a time value. This vulnerability appears to have been fixed in 2.9.8.
CVSSv3:
  • Base Score: MEDIUM (6.5)
  • Vector: /AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions (OSSINDEX):

  • cpe:2.3:a:org.codehaus.jackson:jackson-mapper-asl:1.9.11:*:*:*:*:*:*:*

CVE-2018-14718 (OSSINDEX)  

FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to execute arbitrary code by leveraging failure to block the slf4j-ext class from polymorphic deserialization.
CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: /AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions (OSSINDEX):

  • cpe:2.3:a:org.codehaus.jackson:jackson-mapper-asl:1.9.11:*:*:*:*:*:*:*

CVE-2018-5968 (OSSINDEX)  

FasterXML jackson-databind through 2.8.11 and 2.9.x through 2.9.3 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 and CVE-2017-17485 deserialization flaws. This is exploitable via two different gadgets that bypass a blacklist.
CVSSv3:
  • Base Score: HIGH (8.1)
  • Vector: /AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions (OSSINDEX):

  • cpe:2.3:a:org.codehaus.jackson:jackson-mapper-asl:1.9.11:*:*:*:*:*:*:*

CVE-2018-7489 (OSSINDEX)  

FasterXML jackson-databind before 2.7.9.3, 2.8.x before 2.8.11.1 and 2.9.x before 2.9.5 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the c3p0 libraries are available in the classpath.
CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: /AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions (OSSINDEX):

  • cpe:2.3:a:org.codehaus.jackson:jackson-mapper-asl:1.9.11:*:*:*:*:*:*:*

CVE-2019-10172  

A flaw was found in org.codehaus.jackson:jackson-mapper-asl:1.9.x libraries. XML external entity vulnerabilities similar CVE-2016-3720 also affects codehaus jackson-mapper-asl libraries but in different classes.
CWE-611 Improper Restriction of XML External Entity Reference ('XXE')

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:N
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: /AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2019-14540 (OSSINDEX)  

A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to com.zaxxer.hikari.HikariConfig.
CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: /AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions (OSSINDEX):

  • cpe:2.3:a:org.codehaus.jackson:jackson-mapper-asl:1.9.11:*:*:*:*:*:*:*

CVE-2019-14893 (OSSINDEX)  

A flaw was discovered in FasterXML jackson-databind in all versions before 2.9.10 and 2.10.0, where it would permit polymorphic deserialization of malicious objects using the xalan JNDI gadget when used in conjunction with polymorphic type handling methods such as `enableDefaultTyping()` or when @JsonTypeInfo is using `Id.CLASS` or `Id.MINIMAL_CLASS` or in any other way which ObjectMapper.readValue might instantiate objects from unsafe sources. An attacker could use this flaw to execute arbitrary code.
CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: /AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions (OSSINDEX):

  • cpe:2.3:a:org.codehaus.jackson:jackson-mapper-asl:1.9.11:*:*:*:*:*:*:*

CVE-2019-16335 (OSSINDEX)  

A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to com.zaxxer.hikari.HikariDataSource. This is a different vulnerability than CVE-2019-14540.
CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: /AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions (OSSINDEX):

  • cpe:2.3:a:org.codehaus.jackson:jackson-mapper-asl:1.9.11:*:*:*:*:*:*:*

CVE-2019-17267 (OSSINDEX)  

A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to net.sf.ehcache.hibernate.EhcacheJtaTransactionManagerLookup.
CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: /AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions (OSSINDEX):

  • cpe:2.3:a:org.codehaus.jackson:jackson-mapper-asl:1.9.11:*:*:*:*:*:*:*

CVE-2020-10672 (OSSINDEX)  

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.aries.transaction.jms.internal.XaPooledConnectionFactory (aka aries.transaction.jms).
CVSSv3:
  • Base Score: HIGH (8.8)
  • Vector: /AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions (OSSINDEX):

  • cpe:2.3:a:org.codehaus.jackson:jackson-mapper-asl:1.9.11:*:*:*:*:*:*:*

CVE-2020-10673 (OSSINDEX)  

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to com.caucho.config.types.ResourceRef (aka caucho-quercus).
CVSSv3:
  • Base Score: HIGH (8.8)
  • Vector: /AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions (OSSINDEX):

  • cpe:2.3:a:org.codehaus.jackson:jackson-mapper-asl:1.9.11:*:*:*:*:*:*:*

jacoco-maven-plugin-0.7.9.jar

Description:

The JaCoCo Maven Plugin provides the JaCoCo runtime agent to your tests and allows basic report creation.

File Path: /mnt/sonarshell/projects/udesk-fever-framework_0.0.3/fever-upload/target/dependency/jacoco-maven-plugin-0.7.9.jar
MD5: 266f1f82dec724de8b66efe8fa4333e6
SHA1: a4b7c694a54f147824d0e15cb27a0a86721a0a77
SHA256:0c2aed24e4e811b0fdc3fd1f483ea75c8ed810e09e3484e126fa0ea7867bdbed

Identifiers

javaluator-3.0.1.jar

Description:

Javaluator is a simple, but powerful, infix expression evaluator for Java.

File Path: /mnt/sonarshell/projects/udesk-fever-framework_0.0.3/fever-search/target/dependency/javaluator-3.0.1.jar
MD5: 164a27515cd2fa803cb817d2f3364948
SHA1: 2858833d5416801d8df6928ef4a9c9acb5e289e3
SHA256:59621cf2f911f02c2382d1105cf3cdd0527e3c471c07212902a3ca175559e6fc

Identifiers

javax.annotation-api-1.3.2.jar

Description:

Common Annotations for the JavaTM Platform API

License:

CDDL + GPLv2 with classpath exception: https://github.com/javaee/javax.annotation/blob/master/LICENSE
File Path: /mnt/sonarshell/projects/udesk-fever-framework_0.0.3/fever-config-center/target/dependency/javax.annotation-api-1.3.2.jar
MD5: 2ab1973eefffaa2aeec47d50b9e40b9d
SHA1: 934c04d3cfef185a8008e7bf34331b79730a9d43
SHA256:e04ba5195bcd555dc95650f7cc614d151e4bcd52d29a10b8aa2197f3ab89ab9b

Identifiers

javax.batch-api-1.0.jar

File Path: /mnt/sonarshell/projects/udesk-fever-framework_0.0.3/fever-batch/target/dependency/javax.batch-api-1.0.jar
MD5: d2c9b38431c46dc26a9eb722a6ff8903
SHA1: 65392d027a6eb369fd9fcd1b75cae150e25ac03c
SHA256:784190953892bab713a5dc5d2a611ec6b71c5d0adcd69c96db0870f3712ea24b

Identifiers

javax.el-2.2.4.jar

Description:

Java.net - The Source for Java Technology Collaboration

License:

CDDL + GPLv2 with classpath exception: http://glassfish.dev.java.net/nonav/public/CDDL+GPL.html
File Path: /mnt/sonarshell/projects/udesk-fever-framework_0.0.3/fever-web/target/dependency/javax.el-2.2.4.jar
MD5: 630281cfda93b57a95287dac09184014
SHA1: a50914ff519682e185bca4385b4313b8c8a81775
SHA256:787e7e247da8008c699bafd8e086ccae13e6f3cac3c07ca1c698e44f917b42de

Identifiers

javax.el-api-2.2.5.jar

Description:

Java.net - The Source for Java Technology Collaboration

License:

CDDL + GPLv2 with classpath exception: http://glassfish.dev.java.net/nonav/public/CDDL+GPL.html
File Path: /mnt/sonarshell/projects/udesk-fever-framework_0.0.3/fever-web/target/dependency/javax.el-api-2.2.5.jar
MD5: 2175d1f7cb694bc06db07e445d37f8b7
SHA1: 370140e991eefb212a6d6baedbce585f00ef76e0
SHA256:07bed15032caa7203b43a145d8f0a0fd7a8fd74452e089627f1abe36bbb7648e

Identifiers

javax.servlet-api-3.1.0.jar

Description:

Java(TM) Servlet 3.1 API Design Specification

License:

CDDL + GPLv2 with classpath exception: https://glassfish.dev.java.net/nonav/public/CDDL+GPL.html
File Path: /mnt/sonarshell/projects/udesk-fever-framework_0.0.3/fever-web/target/dependency/javax.servlet-api-3.1.0.jar
MD5: 79de69e9f5ed8c7fcb8342585732bbf7
SHA1: 3cd63d075497751784b2fa84be59432f4905bf7c
SHA256:af456b2dd41c4e82cf54f3e743bc678973d9fe35bd4d3071fa05c7e5333b8482

Identifiers

jboss-logging-3.3.0.Final.jar

Description:

The JBoss Logging Framework

License:

Apache License, version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /mnt/sonarshell/projects/udesk-fever-framework_0.0.3/fever-config-center/target/dependency/jboss-logging-3.3.0.Final.jar
MD5: bc11af4b8ce7138cdc79b7ba8561638c
SHA1: 3616bb87707910296e2c195dc016287080bba5af
SHA256:e0e0595e7f70c464609095aef9e47a8484e05f2f621c0aa5081c18e3db2d498c

Identifiers

jcl-over-slf4j-1.7.24.jar

Description:

JCL 1.2 implemented over SLF4J

File Path: /mnt/sonarshell/projects/udesk-fever-framework_0.0.3/fever-parent/target/dependency/jcl-over-slf4j-1.7.24.jar
MD5: c4f92652e13f3095fc95fcdcb5b514d7
SHA1: e6a8629079856a2aa7862c6327ccf6dd1988d7fc
SHA256:53c6d81ae92ab7a67abf03439b0a2c3872cfe04bab3bf8db9c58fd03f5e71948

Identifiers

jconsole-1.8.0.jar

File Path: /mnt/sonarshell/projects/udesk-fever-framework_0.0.3/fever-web/target/dependency/jconsole-1.8.0.jar
MD5: 24c00cecdcbe28558c0fe8e92321e93e
SHA1: bab810a170e65f9f05ebe0a16dbb4ff21ff50e3c
SHA256:64403fb60da8de18e461c2656f716bacbc1958e09fb6d0f5cfe63263e953cc49

Identifiers

  • None

jdom-1.1.jar

Description:

    JDOM is, quite simply, a Java representation of an XML document. JDOM provides a way to represent that document for
    easy and efficient reading, manipulation, and writing. It has a straightforward API, is a lightweight and fast, and
    is optimized for the Java programmer. It's an alternative to DOM and SAX, although it integrates well with both DOM
    and SAX.
  

File Path: /mnt/sonarshell/projects/udesk-fever-framework_0.0.3/fever-upload/target/dependency/jdom-1.1.jar
MD5: adf67fc5dcf48e1593640ad7e02f6ad4
SHA1: 1d04c0f321ea337f3661cf7ede8f4c6f653a8fdd
SHA256:3c167654499436ee9c19674b519d04e7364085533f6facada1bf90b16ad34897

Identifiers

jedis-2.9.0.jar

Description:

Jedis is a blazingly small and sane Redis java client.

License:

MIT: http://github.com/xetorthio/jedis/raw/master/LICENSE.txt
File Path: /mnt/sonarshell/projects/udesk-fever-framework_0.0.3/fever-shiro-redis/target/dependency/jedis-2.9.0.jar
MD5: 6a6aca8811e3d0c74525ca670a310f3f
SHA1: 292bc9cc26553acd3cccc26f2f95620bf88a04c2
SHA256:1eaa96cb8e5055e4d517467f0f3b2b3cbbc62a7d9d1e8b6a23c617ec60d386fa

Identifiers

jettison-1.2.jar

Description:

A StAX implementation for JSON.

File Path: /mnt/sonarshell/projects/udesk-fever-framework_0.0.3/fever-batch/target/dependency/jettison-1.2.jar
MD5: 4661a5152aa90f104948bdc78fdf255c
SHA1: 0765a6181653f4b05c18c7a9e8f5c1f8269bf9b2
SHA256:544a20dcb7327bef08b0292afdf2a1312bf3004b9bde1bf06ea52b99dea414e9

Identifiers

jna-4.2.2.jar

Description:

Java Native Access

License:

LGPL, version 2.1: http://www.gnu.org/licenses/licenses.html
ASL, version 2: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /mnt/sonarshell/projects/udesk-fever-framework_0.0.3/fever-elasticsearch/target/dependency/jna-4.2.2.jar
MD5: 78eb97e642452eb30aea5f76e52a7603
SHA1: 5012450aee579c3118ff09461d5ce210e0cdc2a9
SHA256:1f38af54e06c6e6f6dbf39ba2c052b952dea5dddb4871127b34639ddeb11bdbe

Identifiers

jna-4.2.2.jar: jnidispatch.dll

File Path: /mnt/sonarshell/projects/udesk-fever-framework_0.0.3/fever-elasticsearch/target/dependency/jna-4.2.2.jar/com/sun/jna/w32ce-arm/jnidispatch.dll
MD5: 57697cbdd321ae7d06f5da04e821f908
SHA1: 67167f2b2fce8db5f9f64a372b0da54730d3ee51
SHA256:361e173e6e50cb1bf8b7fab38c1ff99686ea819e58ee30348e7756cb0418a9f6

Identifiers

  • None

jna-4.2.2.jar: jnidispatch.dll

File Path: /mnt/sonarshell/projects/udesk-fever-framework_0.0.3/fever-elasticsearch/target/dependency/jna-4.2.2.jar/com/sun/jna/win32-x86/jnidispatch.dll
MD5: d2f0da769204b8c45c207d8f3d8fc37e
SHA1: c6870c1b8be2dbf1d737c918963d2f183aa778e1
SHA256:064c34c9f92f6aca636b5b53006b539853268570f048f33155c6a6635d6c0e7b

Identifiers

  • None

jna-4.2.2.jar: jnidispatch.dll

File Path: /mnt/sonarshell/projects/udesk-fever-framework_0.0.3/fever-elasticsearch/target/dependency/jna-4.2.2.jar/com/sun/jna/win32-x86-64/jnidispatch.dll
MD5: b04c620540a971e93390ba9ec7cc8641
SHA1: cb612a48eff7c60c40a6bb64b78fb47d5709f5e7
SHA256:1b2af8b31416f68051db213bcdcf82775e29191b6d069c327988e02e654030ad

Identifiers

  • None

joda-time-2.9.7.jar

Description:

Date and time library to replace JDK date handling

License:

Apache 2: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /mnt/sonarshell/projects/udesk-fever-framework_0.0.3/fever-elasticsearch/target/dependency/joda-time-2.9.7.jar
MD5: 57ab2188241bd18a7392bfaf61ba33cd
SHA1: 6eb2e87ddb09e944bb88f06f19ba0638d4607ffd
SHA256:2bcac56802ec8d6f16941ef8a8d5fee4032902ba9937549be220f0a06eb9f503

Identifiers

jopt-simple-4.6.jar

Description:

A Java library for parsing command line options

License:

The MIT License: http://www.opensource.org/licenses/mit-license.php
File Path: /mnt/sonarshell/projects/udesk-fever-framework_0.0.3/fever-web/target/dependency/jopt-simple-4.6.jar
MD5: 13560a58a79b46b82057686543e8d727
SHA1: 306816fb57cf94f108a43c95731b08934dcae15c
SHA256:3fcfbe3203c2ea521bf7640484fd35d6303186ea2e08e72f032d640ca067ffda

Identifiers

jopt-simple-5.0.2.jar

Description:

A Java library for parsing command line options

License:

The MIT License: http://www.opensource.org/licenses/mit-license.php
File Path: /mnt/sonarshell/projects/udesk-fever-framework_0.0.3/fever-batch/target/dependency/jopt-simple-5.0.2.jar
MD5: 22d04887411554d11534653a40ea325a
SHA1: 98cafc6081d5632b61be2c9e60650b64ddbc637c
SHA256:457877c79e038f390557db5f8e92c4436fb4f4b3ba63f28bc228500fee080193

Identifiers

json-20140107.jar

Description:

		JSON is a light-weight, language independent, data interchange format.
		See http://www.JSON.org/

		The files in this package implement JSON encoders/decoders in Java.
		It also includes the capability to convert between JSON and XML, HTTP
		headers, Cookies, and CDL.

		This is a reference implementation. There is a large number of JSON packages
		in Java. Perhaps someday the Java community will standardize on one. Until
		then, choose carefully.

		The license includes this restriction: "The software shall be used for good,
		not evil." If your conscience cannot live with that, then choose a different
		package.

		The package compiles on Java 1.2 thru Java 1.4.
	

License:

The JSON License: http://json.org/license.html
File Path: /mnt/sonarshell/projects/udesk-fever-framework_0.0.3/fever-sms-http/target/dependency/json-20140107.jar
MD5: 8ca2437d3dbbaa2e76195adedfd901f4
SHA1: d1ffca6e2482b002702c6a576166fd685e3370e3
SHA256:8e5aa0a368bee60347b5a4ad861d9f68c7793f60deeea89efd449eb70d5ae622

Identifiers

json-lib-2.4-jdk15.jar

Description:

      Java library for transforming beans, maps, collections, java
      arrays and XML to JSON.
   

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /mnt/sonarshell/projects/udesk-fever-framework_0.0.3/fever-upload/target/dependency/json-lib-2.4-jdk15.jar
MD5: f5db294d05b3d5a5bfb873455b0a8626
SHA1: 136743e0d12df4e785e62b48618cee169b2ae546
SHA256:8290f8871ebd3db52e36c6fa844fe172895b2c714ea589cfed3d78ad9c01a924

Identifiers

json-patch-1.6.jar

Description:

null

License:

Lesser General Public License, version 3 or greater: http://www.gnu.org/licenses/lgpl.html
Apache Software License, version 2.0: http://www.apache.org/licenses/LICENSE-2.0
File Path: /mnt/sonarshell/projects/udesk-fever-framework_0.0.3/fever-web/target/dependency/json-patch-1.6.jar
MD5: 1f19e6bf78d7ef5b35b4febe1586c854
SHA1: 08c7a8da998228261d5eec90c5aeb382d1ff723c
SHA256:ad661820863cb530b77e97625a2e1ead886da2a343da2d455564a85bea813b5e

Identifiers

json-path-2.2.0.jar

Description:

Java port of Stefan Goessner JsonPath.

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /mnt/sonarshell/projects/udesk-fever-framework_0.0.3/fever-web/target/dependency/json-path-2.2.0.jar
MD5: 98ec1b51b19c21a32845ba3498df6629
SHA1: 22290d17944bd239fabf5ac69005a60a7ecbbbcb
SHA256:f74833d885773a0a3a937ebdb632ca2ff6d95b52cf7f5725de6dd688844207cd

Identifiers

json-schema-core-1.2.1.jar

Description:

null

License:

Lesser General Public License, version 3 or greater: http://www.gnu.org/licenses/lgpl.html
Apache Software License, version 2.0: http://www.apache.org/licenses/LICENSE-2.0
File Path: /mnt/sonarshell/projects/udesk-fever-framework_0.0.3/fever-web/target/dependency/json-schema-core-1.2.1.jar
MD5: 12e7921cd1f77d14d561fc216536e118
SHA1: 248410bcfeac7d50b9b4eb03f311fd554962794a
SHA256:1baa531318af3d3023bd0b85edd57cad74901b379f44327872ed765a2e3eb61b

Identifiers

json-schema-validator-2.2.3.jar

Description:

null

License:

Lesser General Public License, version 3 or greater: http://www.gnu.org/licenses/lgpl.html
Apache Software License, version 2.0: http://www.apache.org/licenses/LICENSE-2.0
File Path: /mnt/sonarshell/projects/udesk-fever-framework_0.0.3/fever-web/target/dependency/json-schema-validator-2.2.3.jar
MD5: d3af7154b31ef5b791f6d2bbc8c69bf6
SHA1: 06708b4ea223564a5db416738cf401a28d503948
SHA256:b5cea7cd5b970f7173e3bdcf98fdb149d2e9612a07bef1459426f8805e588ccd

Identifiers

json-smart-2.2.1.jar

Description:

        JSON (JavaScript Object Notation) is a lightweight data-interchange format. It is easy for humans to read and write. It is easy for machines to parse and generate. It is based on a subset of the JavaScript Programming Language, Standard ECMA-262 3rd Edition - December 1999. JSON is a text format that is completely language independent but uses conventions that are familiar to programmers of the C-family of languages, including C, C++, C#, Java, JavaScript, Perl, Python, and many others. These properties make JSON an ideal data-interchange language.
    

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /mnt/sonarshell/projects/udesk-fever-framework_0.0.3/fever-shiro-redis/target/dependency/json-smart-2.2.1.jar
MD5: 4c82c537eb0ba92adad494283711cc11
SHA1: 5b9e5df7a62d1279b70dc882b041d249c4f0b002
SHA256:871ff1fca0709fbf924a86704f1c7070e1ee774881c76feb1ba781351efe4693

Identifiers

jsonassert-1.4.0.jar

Description:

A library to develop RESTful but flexible APIs

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /mnt/sonarshell/projects/udesk-fever-framework_0.0.3/fever-mail/target/dependency/jsonassert-1.4.0.jar
MD5: 5d8b0cc1089c3dc08214f86a873d895b
SHA1: 9cdbb373a06f6513e51e8c545ee6a5e981463edb
SHA256:35f6b365e54add81472e6069f71daca8de0c3a5c7db46febd18009b95e2784b7

Identifiers

jsoup-1.10.2.jar

Description:

jsoup is a Java library for working with real-world HTML. It provides a very convenient API for extracting and manipulating data, using the best of DOM, CSS, and jquery-like methods. jsoup implements the WHATWG HTML5 specification, and parses HTML to the same DOM as modern browsers do.

License:

The MIT License: https://jsoup.org/license
File Path: /mnt/sonarshell/projects/udesk-fever-framework_0.0.3/fever-elasticsearch/target/dependency/jsoup-1.10.2.jar
MD5: 36145fee38e79b81035787f1be296a52
SHA1: 33ee82e324f4b1e40167f3dc5e01234a1c5cab61
SHA256:6ebe6abd7775c10a49407ae22db45c840cd2cdaf715866a5b0b5af70941c3f4a

Identifiers

jsqlparser-0.9.5.jar

Description:

JSqlParser parses an SQL statement and translate it into a hierarchy of Java classes.
        The generated hierarchy can be navigated using the Visitor Pattern.

License:

GNU Library or Lesser General Public License (LGPL) V2.1: http://www.gnu.org/licenses/lgpl-2.1.html
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /mnt/sonarshell/projects/udesk-fever-framework_0.0.3/fever-batch/target/dependency/jsqlparser-0.9.5.jar
MD5: 6275e17803860e466b8d7c93c85176ae
SHA1: b1ee308d5a745b4e6a98e83af9a75a6f2e5828d0
SHA256:4286fba4b610ee7dc0d7d66fa1edd4344e893e37495d11ec059aa470a38b952c

Identifiers

jsr305-2.0.1.jar

Description:

JSR305 Annotations for Findbugs

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /mnt/sonarshell/projects/udesk-fever-framework_0.0.3/fever-web/target/dependency/jsr305-2.0.1.jar
MD5: 144c0767e2aaf0c21a935908d0e52c68
SHA1: 516c03b21d50a644d538de0f0369c620989cd8f0
SHA256:1e7f53fa5b8b5c807e986ba335665da03f18d660802d8bf061823089d1bee468

Identifiers

jul-to-slf4j-1.7.24.jar

Description:

JUL to SLF4J bridge

File Path: /mnt/sonarshell/projects/udesk-fever-framework_0.0.3/fever-parent/target/dependency/jul-to-slf4j-1.7.24.jar
MD5: 8f13c04772e364c3ca0a1d9d979cc701
SHA1: 25a2be668cb2ad1d05d76c0773df73b4b53617fd
SHA256:0056006ce1d23d6ffb2a6e331ae8496de69a630b152c07c79174b467dcd75576

Identifiers

junit-4.12.jar

Description:

JUnit is a unit testing framework for Java, created by Erich Gamma and Kent Beck.

License:

Eclipse Public License 1.0: http://www.eclipse.org/legal/epl-v10.html
File Path: /mnt/sonarshell/projects/udesk-fever-framework_0.0.3/fever-sms-http/target/dependency/junit-4.12.jar
MD5: 5b38c40c97fbd0adee29f91e60405584
SHA1: 2973d150c0dc1fefe998f834810d68f278ea58ec
SHA256:59721f0805e223d84b90677887d9ff567dc534d7c502ca903c0c2b17f05c116a

Identifiers

lang-mustache-client-5.2.1.jar

Description:

Mustache scripting integration for Elasticsearch

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /mnt/sonarshell/projects/udesk-fever-framework_0.0.3/fever-elasticsearch/target/dependency/lang-mustache-client-5.2.1.jar
MD5: 7057665ce8ec719b657cf4b9ace54be9
SHA1: cd8b50d633108bfe691f7cb5fed43f1bf6231788
SHA256:f7c1144f1b6f9b1dbf4329998e57aed1c6c93663f8b0e0fbd798078da0f49c82

Identifiers

CVE-2019-7611  

A permission issue was found in Elasticsearch versions before 5.6.15 and 6.6.1 when Field Level Security and Document Level Security are disabled and the _aliases, _shrink, or _split endpoints are used . If the elasticsearch.yml file has xpack.security.dls_fls.enabled set to false, certain permission checks are skipped when users perform one of the actions mentioned above, to make existing data available under a new index/alias name. This could result in an attacker gaining additional permissions against a restricted index.
NVD-CWE-Other

CVSSv2:
  • Base Score: MEDIUM (6.8)
  • Vector: /AV:N/AC:M/Au:N/C:P/I:P/A:P
CVSSv3:
  • Base Score: HIGH (8.1)
  • Vector: /AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2019-7614  

A race condition flaw was found in the response headers Elasticsearch versions before 7.2.1 and 6.8.2 returns to a request. On a system with multiple users submitting requests, it could be possible for an attacker to gain access to response header containing sensitive data from another user.
CWE-362 Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:P/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (5.9)
  • Vector: /AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2020-7019  

In Elasticsearch before 7.9.0 and 6.8.12 a field disclosure flaw was found when running a scrolling search with Field Level Security. If a user runs the same query another more privileged user recently ran, the scrolling search can leak fields that should be hidden. This could result in an attacker gaining additional permissions against a restricted index.
CWE-269 Improper Privilege Management

CVSSv2:
  • Base Score: MEDIUM (4.0)
  • Vector: /AV:N/AC:L/Au:S/C:P/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (6.5)
  • Vector: /AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

References:

Vulnerable Software & Versions: (show all)

libphonenumber-6.0.jar

File Path: /mnt/sonarshell/projects/udesk-fever-framework_0.0.3/fever-web/target/dependency/libphonenumber-6.0.jar
MD5: 71634687105283b8019662e07b8b0985
SHA1: 64ab017d97b44eafa7a149bbd8dddfdf967b40de
SHA256:57c80aced94fb197a7d554525e426e50607609338bd4a5d8b4818e1c4bea7eec

Identifiers

CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (OSSINDEX)  

The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv3:
  • Base Score: MEDIUM (6.1)
  • Vector: /AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References:

Vulnerable Software & Versions (OSSINDEX):

  • cpe:2.3:a:com.googlecode.libphonenumber:libphonenumber:6.0:*:*:*:*:*:*:*

log4j-api-2.8.1.jar

Description:

The Apache Log4j API

License:

https://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /mnt/sonarshell/projects/udesk-fever-framework_0.0.3/fever-search/target/dependency/log4j-api-2.8.1.jar
MD5: a2ad9b058b4b03d43f3cc301701654e4
SHA1: e801d13612e22cad62a3f4f3fe7fdbe6334a8e72
SHA256:1205ab764b1326f7d96d99baa4a4e12614599bf3d735790947748ee116511fa2

Identifiers

CVE-2017-5645  

In Apache Log4j 2.x before 2.8.2, when using the TCP socket server or UDP socket server to receive serialized log events from another application, a specially crafted binary payload can be sent that, when deserialized, can execute arbitrary code.
CWE-502 Deserialization of Untrusted Data

CVSSv2:
  • Base Score: HIGH (7.5)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: /AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2020-9488  

Improper validation of certificate with host mismatch in Apache Log4j SMTP appender. This could allow an SMTPS connection to be intercepted by a man-in-the-middle attack which could leak any log messages sent through that appender.
CWE-295 Improper Certificate Validation

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:P/I:P/A:N
CVSSv3:
  • Base Score: LOW (3.7)
  • Vector: /AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

References:

Vulnerable Software & Versions:

log4j-over-slf4j-1.7.24.jar

Description:

Log4j implemented over SLF4J

License:

Apache Software Licenses: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /mnt/sonarshell/projects/udesk-fever-framework_0.0.3/fever-parent/target/dependency/log4j-over-slf4j-1.7.24.jar
MD5: 196e88a341f9a807cca0630e8da46398
SHA1: 6ab46c51a3848286a0db3ba7b22037b3834c3c44
SHA256:90ec03fa2a945115da5c5e878c68a0d60e8efb25b831acbd1976326476fe18c2

Identifiers

logback-core-1.1.11.jar

Description:

logback-core module

License:

http://www.eclipse.org/legal/epl-v10.html, http://www.gnu.org/licenses/old-licenses/lgpl-2.1.html
File Path: /mnt/sonarshell/projects/udesk-fever-framework_0.0.3/fever-migration/target/dependency/logback-core-1.1.11.jar
MD5: cc7a8deacd26b0aa2668779ce2721c0f
SHA1: 88b8df40340eed549fb07e2613879bf6b006704d
SHA256:58738067842476feeae5768e832cd36a0e40ce41576ba5739c3632d376bd8c86

Identifiers

logstash-gelf-1.13.0.jar

License:

MIT License: http://www.opensource.org/licenses/mit-license.php
File Path: /mnt/sonarshell/projects/udesk-fever-framework_0.0.3/fever-parent/target/dependency/logstash-gelf-1.13.0.jar
MD5: dbd69b92ab8e59fdcb626af1605fb45f
SHA1: b6360e3dc7735f8bcb3b4cd8fda25095bc88e16b
SHA256:7ca2866a6e033d0aba9097e0ed54283da1736e935177caa216d301ec4aa1c979

Identifiers

logstash-logback-encoder-4.7.jar

Description:

Logback encoder which will output events as Logstash-compatible JSON

License:

Apache License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0
MIT License: http://www.slf4j.org/license.html
File Path: /mnt/sonarshell/projects/udesk-fever-framework_0.0.3/fever-shiro-redis/target/dependency/logstash-logback-encoder-4.7.jar
MD5: 145152eea66d75e28e09675533213727
SHA1: 851950c9d30b84bebbb78d5c6917b1ba77e67f13
SHA256:1df772b92773937876a172ae4d43578780322a3e13b3aa39fff945a1fed9d96f

Identifiers

logstash-logback-encoder-4.7.jar (shaded: commons-lang:commons-lang:2.6)

Description:

        Commons Lang, a package of Java utility classes for the
        classes that are in java.lang's hierarchy, or are considered to be so
        standard as to justify existence in java.lang.
    

File Path: /mnt/sonarshell/projects/udesk-fever-framework_0.0.3/fever-shiro-redis/target/dependency/logstash-logback-encoder-4.7.jar/META-INF/maven/commons-lang/commons-lang/pom.xml
MD5: cca9ee287cb26a44a2f65450a24957cd
SHA1: 347d60b180fa80e5699d8e2cb72c99c93dda5454
SHA256:ed76b8891c30b566289c743656f8a4d435986982438d40c567c626233247e711

Identifiers

lombok-1.16.14.jar

Description:

Spice up your java: Automatic Resource Management, automatic generation of getters, setters, equals, hashCode and toString, and more!

License:

The MIT License: https://projectlombok.org/LICENSE
File Path: /mnt/sonarshell/projects/udesk-fever-framework_0.0.3/fever-web/target/dependency/lombok-1.16.14.jar
MD5: 899f69e58eb7881c7514c40b88a30143
SHA1: 8486573ff5a5f17f48920c860caf534e7461976b
SHA256:e6a2a08d11a13082e92ce172785f4b3f5443837172e1e30d232f681321be0bd6

Identifiers

lombok-1.16.14.jar: WindowsDriveInfo-i386.dll

File Path: /mnt/sonarshell/projects/udesk-fever-framework_0.0.3/fever-web/target/dependency/lombok-1.16.14.jar/lombok/installer/WindowsDriveInfo-i386.dll
MD5: c4d7064e400a22cc9a59d2d97382b5b8
SHA1: 63ac163436b8400dcc25f7d13e7a86313fd28a98
SHA256:f210056ba0dfd996646b91e92f4665399b33bf4da651dea26b4888f87215ec29

Identifiers

  • None

lombok-1.16.14.jar: WindowsDriveInfo-x86_64.dll

File Path: /mnt/sonarshell/projects/udesk-fever-framework_0.0.3/fever-web/target/dependency/lombok-1.16.14.jar/lombok/installer/WindowsDriveInfo-x86_64.dll
MD5: cdf042a66f9681f362c365131e3c38dd
SHA1: a4598a189d82ae291faead4c0eec6abf22b256be
SHA256:4897fff1914b3534f61fbba4ef7e26892b1f32b525e06f1e264bf1eaf08ce4fe

Identifiers

  • None

lucene-core-6.4.1.jar

Description:

Apache Lucene Java Core

File Path: /mnt/sonarshell/projects/udesk-fever-framework_0.0.3/fever-batch/target/dependency/lucene-core-6.4.1.jar
MD5: 3b2931c1a4052f9ebe75f299ff393fef
SHA1: 2a18924b9e0ed86b318902cb475a0b9ca4d7be5b
SHA256:0646d5ce1b746557c8ba1d99adc0b3740f34b5b8130e87c7304dc1b686e87dd5

Identifiers

mail-1.4.7.jar

Description:

JavaMail API (compat)

License:

http://www.sun.com/cddl, https://glassfish.java.net/public/CDDL+GPL_1_1.html
File Path: /mnt/sonarshell/projects/udesk-fever-framework_0.0.3/fever-mail/target/dependency/mail-1.4.7.jar
MD5: 77f53ff0c78ba43c4812ecc9f53e20f8
SHA1: 9add058589d5d85adeb625859bf2c5eeaaedf12d
SHA256:78c33b4f7c7b60f4b680f2d2405b1f063d71929cf1a4fbc328888379f365fcfb

Identifiers

mailapi-1.4.3.jar

Description:

JavaMail API jar

License:

http://www.sun.com/cddl, https://glassfish.dev.java.net/public/CDDL+GPL.html
File Path: /mnt/sonarshell/projects/udesk-fever-framework_0.0.3/fever-web/target/dependency/mailapi-1.4.3.jar
MD5: de1f54df6a55c4e77258cc77b51d3828
SHA1: 124600e35d9031da50e5f67661ffa741541f8f6a
SHA256:e83be4ed248cc554e8aab7c113cf3cb81240d895349d0758545507950cd23327

Identifiers

mapstruct-1.0.0.Final.jar

File Path: /mnt/sonarshell/projects/udesk-fever-framework_0.0.3/fever-web/target/dependency/mapstruct-1.0.0.Final.jar
MD5: 0ede03aa7f158fcc81656081875ae632
SHA1: 794bb2c7d3dd69211deb22857d92fb4c5361be3f
SHA256:145da694cfcf2230f509974d9413fddb489e07051965e60e3c10b2af44d9d6a0

Identifiers

markup-document-builder-0.1.5.jar

Description:

A Markup (Markdown, AsciiDoc) document builder.

License:

Apache-2.0: https://github.com/RobWin/markup-document-builder/blob/master/LICENSE.txt
File Path: /mnt/sonarshell/projects/udesk-fever-framework_0.0.3/fever-web/target/dependency/markup-document-builder-0.1.5.jar
MD5: de8d3179418637f7f860664abb62b087
SHA1: ac23b3a2e34923ac4ad05ecd950ac18ad24f20ff
SHA256:87129ee4e5fc2d6a36c0eec0d7fb838111a4acda7cb915839ac39bbd57c17aee

Identifiers

maven-artifact-2.2.1.jar

File Path: /mnt/sonarshell/projects/udesk-fever-framework_0.0.3/fever-elasticsearch/target/dependency/maven-artifact-2.2.1.jar
MD5: 7b7613fd5db72967269abe7ab50b76e9
SHA1: 23600f790d4dab2cb965419eaa982e3e84c428f8
SHA256:d53062ffe8677a4f5e1ad3a1d1fa37ed600fab39166d39be7ed204635c5f839b

Identifiers

maven-artifact-manager-2.2.1.jar

File Path: /mnt/sonarshell/projects/udesk-fever-framework_0.0.3/fever-metrics/target/dependency/maven-artifact-manager-2.2.1.jar
MD5: f3e76a8a83f422a900886543c48914f7
SHA1: ec355b913c34d37080810f98e3f51abecbe1572b
SHA256:d1e247c4ed3952385fd704ac9db2a222247cfe7d20508b4f3c76b90f857952ed

Identifiers

maven-model-2.2.1.jar

Description:

Maven Model

File Path: /mnt/sonarshell/projects/udesk-fever-framework_0.0.3/fever-mail/target/dependency/maven-model-2.2.1.jar
MD5: b269f663e3440e40be4b696d9b7c2260
SHA1: c0a1c17436ec3ff5a56207c031d82277b4250a29
SHA256:153b32f474fd676ec36ad807c508885005139140fc92168bb76bf6be31f8efb8

Identifiers

maven-plugin-api-2.2.1.jar

File Path: /mnt/sonarshell/projects/udesk-fever-framework_0.0.3/fever-common/target/dependency/maven-plugin-api-2.2.1.jar
MD5: 0ef36e831b92ac9697e0f72619910b8f
SHA1: d60c36b60f760e0b5b87dd0c6311f93a72dc4585
SHA256:72a47a963563009c5e8b851491ced3f63e2d276b862bde1f9d10d53abac5b22f

Identifiers

maven-plugin-registry-2.2.1.jar

File Path: /mnt/sonarshell/projects/udesk-fever-framework_0.0.3/fever-mail/target/dependency/maven-plugin-registry-2.2.1.jar
MD5: 46a27ab81d327e3f5fd1d3e435fe2aad
SHA1: 72a24b7775649af78f3986b5aa7eb354b9674cfd
SHA256:4ad0673155d7e0e5cf6d13689802d8d507f38e5ea00a6d2fb92aef206108213d

Identifiers

maven-profile-2.2.1.jar

File Path: /mnt/sonarshell/projects/udesk-fever-framework_0.0.3/fever-search/target/dependency/maven-profile-2.2.1.jar
MD5: 53dd14e28aaad4bd5dd379dfdbf46a4c
SHA1: 3950071587027e5086e9c395574a60650c432738
SHA256:ecaffef655fea6b138f0855a12f7dbb59fc0d6bffb5c1bfd31803cccb49ea08c

Identifiers

maven-project-2.2.1.jar

Description:

This library is used to not only read Maven project object model files, but to assemble inheritence
    and to retrieve remote models as required.

File Path: /mnt/sonarshell/projects/udesk-fever-framework_0.0.3/fever-metrics/target/dependency/maven-project-2.2.1.jar
MD5: 8f9382d7c0c120e94c2aaf8bbe817b6f
SHA1: 8239e98c16f641d55a4ad0e0bab0aee3aff8933f
SHA256:24ddb65b7a6c3befb6267ce5f739f237c84eba99389265c30df67c3dd8396a40

Identifiers

maven-reporting-api-2.2.1.jar

File Path: /mnt/sonarshell/projects/udesk-fever-framework_0.0.3/fever-web/target/dependency/maven-reporting-api-2.2.1.jar
MD5: 5e680d893d92086dffd8cc42637ceb0f
SHA1: 61942e490c112f84b3a1a61572d570f369414939
SHA256:7339e0e8cf04574e9ce484713385888ca6ac6adc578a60a8e311261537df8c77

Identifiers

maven-reporting-impl-2.1.jar

Description:

Abstract classes to manage report generation.

File Path: /mnt/sonarshell/projects/udesk-fever-framework_0.0.3/fever-common/target/dependency/maven-reporting-impl-2.1.jar
MD5: b8f3f33547c8ce1a67fbb793a05eb504
SHA1: 898da3a82a8dee7ce1d8a6e1d24efcc52ba28383
SHA256:20185834514c2d99ea336aecb5c61017702b4dd837ede46234e7a957f70cb897

Identifiers

maven-repository-metadata-2.2.1.jar

Description:

Per-directory repository metadata.

File Path: /mnt/sonarshell/projects/udesk-fever-framework_0.0.3/fever-batch/target/dependency/maven-repository-metadata-2.2.1.jar
MD5: c426b243119831168af2fbd767254f59
SHA1: 98f0c07fcf1eeb213bef8d9316a9935184084b06
SHA256:5fe283f47b0e7f7d95a4252af3fa7a0db4d8f080cd9df308608c0472b8f168a1

Identifiers

maven-settings-2.2.1.jar

File Path: /mnt/sonarshell/projects/udesk-fever-framework_0.0.3/fever-mail/target/dependency/maven-settings-2.2.1.jar
MD5: 7c3dcffd55434a860339dba78f0c165a
SHA1: 2236ffe71fa5f78ce42b0f5fc22c54ed45f14294
SHA256:9a9f556713a404e770c9dbdaed7eb086078014c989291960c76fdde6db4192f7

Identifiers

maven-shared-io-1.1.jar

Description:

API for I/O support like logging, download or file scanning.

File Path: /mnt/sonarshell/projects/udesk-fever-framework_0.0.3/fever-search/target/dependency/maven-shared-io-1.1.jar
MD5: fe668f50b2c0edc8707609f792ca4036
SHA1: 02e1d57be05ecac7dbe56a3c73b113e98f22240f
SHA256:10c0b971d692d2e3026aec6c49cbb12ddee4214e2a727603d1d309779ca2a62b

Identifiers

mockito-core-1.10.19.jar

Description:

Mock objects library for java

License:

The MIT License: http://github.com/mockito/mockito/blob/master/LICENSE
File Path: /mnt/sonarshell/projects/udesk-fever-framework_0.0.3/fever-migration/target/dependency/mockito-core-1.10.19.jar
MD5: c1967f0a515c4b8155f62478ec823464
SHA1: e8546f5bef4e061d8dd73895b4e8f40e3fe6effe
SHA256:d5831ee4f71055800821a34a3051cf1ed5b3702f295ffebd50f65fb5d81a71b8

Identifiers

msg-simple-1.1.jar

Description:

null

License:

Lesser General Public License, version 3 or greater: http://www.gnu.org/licenses/lgpl.html
Apache Software License, version 2.0: http://www.apache.org/licenses/LICENSE-2.0
File Path: /mnt/sonarshell/projects/udesk-fever-framework_0.0.3/fever-web/target/dependency/msg-simple-1.1.jar
MD5: b0d8d70468edff2e223b3d2f07cc5de1
SHA1: f261263e13dd4cfa93cc6b83f1f58f619097a2c4
SHA256:c3c5add3971a9a7f1868beb7607780d73f36bb611c7505de01f1baf49ab4ff75

Identifiers

mybatis-3.4.0.jar

Description:

    The MyBatis SQL mapper framework makes it easier to use a relational database with object-oriented
    applications. MyBatis couples objects with stored procedures or SQL statements using a XML descriptor or
    annotations. Simplicity is the biggest advantage of the MyBatis data mapper over object relational mapping
    tools.
  

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /mnt/sonarshell/projects/udesk-fever-framework_0.0.3/fever-web/target/dependency/mybatis-3.4.0.jar
MD5: 02e20b3546b5e2e3896c5b34a546bf78
SHA1: 1b37a54d8ab403e56cb3ed717c25193474efa226
SHA256:4dd9e2d44934b6bb0f52b0a31abc10c41b4b51496a7f724d2929b9428de8c578

Identifiers

CVE-2020-26945  

MyBatis before 3.5.6 mishandles deserialization of object streams.
CWE-502 Deserialization of Untrusted Data

CVSSv2:
  • Base Score: MEDIUM (5.1)
  • Vector: /AV:N/AC:H/Au:N/C:P/I:P/A:P
CVSSv3:
  • Base Score: HIGH (8.1)
  • Vector: /AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions:

mybatis-3.4.0.jar (shaded: ognl:ognl:3.1.2)

Description:

OGNL - Object Graph Navigation Library

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /mnt/sonarshell/projects/udesk-fever-framework_0.0.3/fever-web/target/dependency/mybatis-3.4.0.jar/META-INF/maven/ognl/ognl/pom.xml
MD5: d2daa0ea875b2beedeba225ecf0a48dc
SHA1: e42cec9d349c070552bec0672630bd3440632f54
SHA256:9b2bbb26394725d7f817488801d65cdb34e18898a12764d5185d3735434eb2db

Identifiers

mybatis-3.4.0.jar (shaded: org.javassist:javassist:3.20.0-GA)

Description:

  	Javassist (JAVA programming ASSISTant) makes Java bytecode manipulation
    simple.  It is a class library for editing bytecodes in Java.
  

License:

MPL 1.1: http://www.mozilla.org/MPL/MPL-1.1.html
LGPL 2.1: http://www.gnu.org/licenses/lgpl-2.1.html
Apache License 2.0: http://www.apache.org/licenses/
File Path: /mnt/sonarshell/projects/udesk-fever-framework_0.0.3/fever-web/target/dependency/mybatis-3.4.0.jar/META-INF/maven/org.javassist/javassist/pom.xml
MD5: 22f71cba1b0b5b0e42c350a587426b9a
SHA1: 9f7a4893d0a08a4ccf3bc59ea61b075035ef429d
SHA256:c588a6571150b118a5cdf0ed9255756abb66c8a5ceda62693fe1d718d983e7f3

Identifiers

mybatis-spring-1.3.0.jar

Description:

An easy-to-use Spring bridge for MyBatis sql mapping framework.

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /mnt/sonarshell/projects/udesk-fever-framework_0.0.3/fever-shiro-redis/target/dependency/mybatis-spring-1.3.0.jar
MD5: 10cfdab260d2bfdb7c38b5d050c17a99
SHA1: d1dbdc46cac543447ffd5aeda59f1a9bb34f0912
SHA256:04884c0b66600180fb759a12cae280ab68ae996f09f5c63db296ad1e1e445bbe

Identifiers

CVE-2020-26945  

MyBatis before 3.5.6 mishandles deserialization of object streams.
CWE-502 Deserialization of Untrusted Data

CVSSv2:
  • Base Score: MEDIUM (5.1)
  • Vector: /AV:N/AC:H/Au:N/C:P/I:P/A:P
CVSSv3:
  • Base Score: HIGH (8.1)
  • Vector: /AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions:

mybatis-spring-boot-starter-1.1.1.jar

Description:

Spring Boot Support for MyBatis

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /mnt/sonarshell/projects/udesk-fever-framework_0.0.3/fever-batch/target/dependency/mybatis-spring-boot-starter-1.1.1.jar
MD5: b8a9687cd54b952d306bd935d76df4b6
SHA1: d0f14dd5e6cee6adc3d2bfee4c0a879dced80552
SHA256:4e8bcdcb321cc849fc478598529b85e6c1c2caa4064d6838e588b85d8d23010f

Identifiers

CVE-2020-26945  

MyBatis before 3.5.6 mishandles deserialization of object streams.
CWE-502 Deserialization of Untrusted Data

CVSSv2:
  • Base Score: MEDIUM (5.1)
  • Vector: /AV:N/AC:H/Au:N/C:P/I:P/A:P
CVSSv3:
  • Base Score: HIGH (8.1)
  • Vector: /AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions:

mybatis-typehandlers-jsr310-1.0.1.jar

Description:

MyBatis Type Handlers supporting JSR-310

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /mnt/sonarshell/projects/udesk-fever-framework_0.0.3/fever-web/target/dependency/mybatis-typehandlers-jsr310-1.0.1.jar
MD5: 2243e0493faa7cf28c10e2edddd25df5
SHA1: 82bf69b93e4d2403c144041a1e67d4df9aa1a2a0
SHA256:ebc5950b5dd909e76677c52c1003b4a3714c72f26c90081eb8b66f1750f0c6bb

Identifiers

CVE-2020-26945  

MyBatis before 3.5.6 mishandles deserialization of object streams.
CWE-502 Deserialization of Untrusted Data

CVSSv2:
  • Base Score: MEDIUM (5.1)
  • Vector: /AV:N/AC:H/Au:N/C:P/I:P/A:P
CVSSv3:
  • Base Score: HIGH (8.1)
  • Vector: /AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions:

mysql-connector-java-5.1.41.jar

Description:

MySQL JDBC Type 4 driver

License:

The GNU General Public License, Version 2: http://www.gnu.org/licenses/old-licenses/gpl-2.0.html
File Path: /mnt/sonarshell/projects/udesk-fever-framework_0.0.3/fever-batch/target/dependency/mysql-connector-java-5.1.41.jar
MD5: eb844eb8920b73aebe8b89d06a6a648b
SHA1: b0878056f15616989144d6114d36d3942321d0d1
SHA256:627c8d6a4956ae905f5445b0dc0d18ecbf88213cee089c998fcf5ced92a9da37

Identifiers

CVE-2017-15945  

The installation scripts in the Gentoo dev-db/mysql, dev-db/mariadb, dev-db/percona-server, dev-db/mysql-cluster, and dev-db/mariadb-galera packages before 2017-09-29 have chown calls for user-writable directory trees, which allows local users to gain privileges by leveraging access to the mysql account for creation of a link.
CWE-732 Incorrect Permission Assignment for Critical Resource

CVSSv2:
  • Base Score: HIGH (7.2)
  • Vector: /AV:L/AC:L/Au:N/C:C/I:C/A:C
CVSSv3:
  • Base Score: HIGH (7.8)
  • Vector: /AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2017-3589  

Vulnerability in the MySQL Connectors component of Oracle MySQL (subcomponent: Connector/J). Supported versions that are affected are 5.1.41 and earlier. Easily "exploitable" vulnerability allows low privileged attacker with logon to the infrastructure where MySQL Connectors executes to compromise MySQL Connectors. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of MySQL Connectors accessible data. CVSS 3.0 Base Score 3.3 (Integrity impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N).
NVD-CWE-noinfo

CVSSv2:
  • Base Score: LOW (2.1)
  • Vector: /AV:L/AC:L/Au:N/C:N/I:N/A:N
CVSSv3:
  • Base Score: LOW (3.3)
  • Vector: /AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

References:

Vulnerable Software & Versions:

CVE-2018-3258  

Vulnerability in the MySQL Connectors component of Oracle MySQL (subcomponent: Connector/J). Supported versions that are affected are 8.0.12 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Connectors. Successful attacks of this vulnerability can result in takeover of MySQL Connectors. CVSS 3.0 Base Score 8.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
NVD-CWE-noinfo

CVSSv2:
  • Base Score: MEDIUM (6.5)
  • Vector: /AV:N/AC:L/Au:S/C:P/I:P/A:P
CVSSv3:
  • Base Score: HIGH (8.8)
  • Vector: /AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions:

CVE-2019-2692  

Vulnerability in the MySQL Connectors component of Oracle MySQL (subcomponent: Connector/J). Supported versions that are affected are 8.0.15 and prior. Difficult to exploit vulnerability allows high privileged attacker with logon to the infrastructure where MySQL Connectors executes to compromise MySQL Connectors. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in takeover of MySQL Connectors. CVSS 3.0 Base Score 6.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H).
NVD-CWE-noinfo

CVSSv2:
  • Base Score: LOW (3.5)
  • Vector: /AV:L/AC:H/Au:S/C:P/I:P/A:P
CVSSv3:
  • Base Score: MEDIUM (6.3)
  • Vector: /AV:L/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions:

CVE-2020-2875  

Vulnerability in the MySQL Connectors product of Oracle MySQL (component: Connector/J). Supported versions that are affected are 8.0.14 and prior and 5.1.48 and prior. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise MySQL Connectors. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in MySQL Connectors, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of MySQL Connectors accessible data as well as unauthorized read access to a subset of MySQL Connectors accessible data. CVSS 3.0 Base Score 4.7 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N).
NVD-CWE-noinfo

CVSSv2:
  • Base Score: MEDIUM (4.0)
  • Vector: /AV:N/AC:H/Au:N/C:P/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (4.7)
  • Vector: /AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2020-2933  

Vulnerability in the MySQL Connectors product of Oracle MySQL (component: Connector/J). Supported versions that are affected are 5.1.48 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Connectors. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of MySQL Connectors. CVSS 3.0 Base Score 2.2 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:L).
NVD-CWE-noinfo

CVSSv2:
  • Base Score: LOW (3.5)
  • Vector: /AV:N/AC:M/Au:S/C:N/I:N/A:P
CVSSv3:
  • Base Score: LOW (2.2)
  • Vector: /AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:L

References:

Vulnerable Software & Versions:

CVE-2020-2934  

Vulnerability in the MySQL Connectors product of Oracle MySQL (component: Connector/J). Supported versions that are affected are 8.0.19 and prior and 5.1.48 and prior. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise MySQL Connectors. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of MySQL Connectors accessible data as well as unauthorized read access to a subset of MySQL Connectors accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of MySQL Connectors. CVSS 3.0 Base Score 5.0 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L).
NVD-CWE-noinfo

CVSSv2:
  • Base Score: MEDIUM (5.1)
  • Vector: /AV:N/AC:H/Au:N/C:P/I:P/A:P
CVSSv3:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L

References:

Vulnerable Software & Versions: (show all)

nacos-api-1.2.0.jar

File Path: /mnt/sonarshell/projects/udesk-fever-framework_0.0.3/fever-config-center/target/dependency/nacos-api-1.2.0.jar
MD5: 86b5c3725f5e1ba5a0cdb65a7c3e2377
SHA1: 2fb594921572afe45a01d89326c1eb757c659c72
SHA256:79c1e7900ca5d4f745736bc65960293ba733b7b61ab8bf3f7828ba41c4940d7d

Identifiers

nacos-spring-boot-base-0.1.7.jar

Description:

Nacos Spring Boot Base

File Path: /mnt/sonarshell/projects/udesk-fever-framework_0.0.3/fever-config-center/target/dependency/nacos-spring-boot-base-0.1.7.jar
MD5: 26b8138b1f155fc8e426b7e81f9c35e4
SHA1: 793712b1e7beee522193463db299e927274be0c2
SHA256:f133f7f7a52287f62d562b4ba42f087a80e03ff587b287ce108313c1dd3b91fd

Identifiers

nacos-spring-context-0.3.6.jar

File Path: /mnt/sonarshell/projects/udesk-fever-framework_0.0.3/fever-config-center/target/dependency/nacos-spring-context-0.3.6.jar
MD5: 3cd7fe609f3df78b517d559920a83cfc
SHA1: 8f4675fc4408a1d18cb1d60680621157a055ba8b
SHA256:1063503f0c1008b55027efed7146eb6aac2a48d5515e5b001f483b36e4e355fd

Identifiers

netflix-commons-util-0.1.1.jar

Description:

netflix-commons-util developed by Netflix

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /mnt/sonarshell/projects/udesk-fever-framework_0.0.3/fever-metrics/target/dependency/netflix-commons-util-0.1.1.jar
MD5: 39797b7f8b2dfb710f79f21be1b68e3f
SHA1: 39e67061780476f207b31465baaed84a91ff659f
SHA256:3b5336df78667d56d84e8fef0910188ede7a08aa81788e05378266a30477d28b

Identifiers

netty-3.10.6.Final.jar

Description:

    The Netty project is an effort to provide an asynchronous event-driven
    network application framework and tools for rapid development of
    maintainable high performance and high scalability protocol servers and
    clients.  In other words, Netty is a NIO client server framework which
    enables quick and easy development of network applications such as protocol
    servers and clients. It greatly simplifies and streamlines network
    programming such as TCP and UDP socket server.
  

License:

Apache License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0
File Path: /mnt/sonarshell/projects/udesk-fever-framework_0.0.3/fever-elasticsearch/target/dependency/netty-3.10.6.Final.jar
MD5: e9cdf01138257f48d796fb2cf67af53e
SHA1: 18ed04a0e502896552854926e908509db2987a00
SHA256:8768a50fbe3d93a88d8e6000ea5d68e30f50dc915b3764c3c5870f70c4fb3b49

Identifiers

CVE-2019-16869  

Netty before 4.1.42.Final mishandles whitespace before the colon in HTTP headers (such as a "Transfer-Encoding : chunked" line), which leads to HTTP request smuggling.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:N
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: /AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

References:

Vulnerable Software & Versions:

CVE-2019-20444  

HttpObjectDecoder.java in Netty before 4.1.44 allows an HTTP header that lacks a colon, which might be interpreted as a separate header with an incorrect syntax, or might be interpreted as an "invalid fold."
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')

CVSSv2:
  • Base Score: MEDIUM (6.4)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:N
CVSSv3:
  • Base Score: CRITICAL (9.1)
  • Vector: /AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

References:

Vulnerable Software & Versions:

CVE-2019-20445  

HttpObjectDecoder.java in Netty before 4.1.44 allows a Content-Length header to be accompanied by a second Content-Length header, or by a Transfer-Encoding header.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')

CVSSv2:
  • Base Score: MEDIUM (6.4)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:N
CVSSv3:
  • Base Score: CRITICAL (9.1)
  • Vector: /AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

References:

Vulnerable Software & Versions:

netty-common-4.1.7.Final.jar (shaded: org.jctools:jctools-core:1.2.1)

Description:

Java Concurrency Tools Core Library

License:

Apache License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /mnt/sonarshell/projects/udesk-fever-framework_0.0.3/fever-elasticsearch/target/dependency/netty-common-4.1.7.Final.jar/META-INF/maven/org.jctools/jctools-core/pom.xml
MD5: b104e807eab8c5ec728e4440814b4e86
SHA1: 890d905133422e4be5df7cffa81e7dd9c5336d7e
SHA256:12444dc7be1ea1e1b5361f4bb9fb9ae04197b64846c3ce915b363cfafbcdf8d9

Identifiers

netty-transport-4.1.7.Final.jar

Description:

Netty is an asynchronous event-driven network application framework for    rapid development of maintainable high performance protocol servers and    clients.

License:

http://www.apache.org/licenses/LICENSE-2.0
File Path: /mnt/sonarshell/projects/udesk-fever-framework_0.0.3/fever-search/target/dependency/netty-transport-4.1.7.Final.jar
MD5: fd8ef33a8196b1bd528c855b0cec77e2
SHA1: 469e86d4dda1dca8b88d2b1faa8e0f078243ba12
SHA256:5c6aaaa855a1ef42885f99cd3ea602f523ef0fe172fda26f1ac693d35abb251b

Identifiers

CVE-2019-16869  

Netty before 4.1.42.Final mishandles whitespace before the colon in HTTP headers (such as a "Transfer-Encoding : chunked" line), which leads to HTTP request smuggling.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:N
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: /AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

References:

Vulnerable Software & Versions:

CVE-2019-20444  

HttpObjectDecoder.java in Netty before 4.1.44 allows an HTTP header that lacks a colon, which might be interpreted as a separate header with an incorrect syntax, or might be interpreted as an "invalid fold."
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')

CVSSv2:
  • Base Score: MEDIUM (6.4)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:N
CVSSv3:
  • Base Score: CRITICAL (9.1)
  • Vector: /AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

References:

Vulnerable Software & Versions:

CVE-2019-20445  

HttpObjectDecoder.java in Netty before 4.1.44 allows a Content-Length header to be accompanied by a second Content-Length header, or by a Transfer-Encoding header.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')

CVSSv2:
  • Base Score: MEDIUM (6.4)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:N
CVSSv3:
  • Base Score: CRITICAL (9.1)
  • Vector: /AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

References:

Vulnerable Software & Versions:

CVE-2020-11612  

The ZlibDecoders in Netty 4.1.x before 4.1.46 allow for unbounded memory allocation while decoding a ZlibEncoded byte stream. An attacker could send a large ZlibEncoded byte stream to the Netty server, forcing the server to allocate all of its free memory to a single decoder.
CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer

CVSSv2:
  • Base Score: HIGH (7.5)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: /AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions:

objenesis-2.5.1.jar

Description:

A library for instantiating Java objects

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /mnt/sonarshell/projects/udesk-fever-framework_0.0.3/fever-upload/target/dependency/objenesis-2.5.1.jar
MD5: 84b9e3191629e53abbb05a92c683c617
SHA1: 272bab9a4e5994757044d1fc43ce480c8cb907a4
SHA256:b043f03e466752f7f03e2326a3b13a49b7c649f8f2a2dc87715827e24f73d9c6

Identifiers

org.apache.oltu.oauth2.common-1.0.2.jar

Description:

OAuth 2.0 library - Common

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /mnt/sonarshell/projects/udesk-fever-framework_0.0.3/fever-sms-http/target/dependency/org.apache.oltu.oauth2.common-1.0.2.jar
MD5: 48d5e8f17d2f292b32788d2b98b1aebd
SHA1: a82fff95276f4c6feadc7993670e659076e43260
SHA256:5e7ce01db88b361543e75644269c9447a059a5fecc23a15f3546eff8680ec968

Identifiers

org.jacoco.agent-0.7.9-runtime.jar

Description:

JaCoCo Agent

File Path: /mnt/sonarshell/projects/udesk-fever-framework_0.0.3/fever-common/target/dependency/org.jacoco.agent-0.7.9-runtime.jar
MD5: 13f8627b85a0049e046bf04e6ea91103
SHA1: a6ac9cca89d889222a40dab9dd5039bfd22a4cff
SHA256:44238878b1e6e7d36c698019430018c18baec9b344e9e223bf75c37c8f84d74e

Identifiers

org.jacoco.agent-0.7.9-runtime.jar (shaded: org.jacoco:org.jacoco.agent.rt:0.7.9)

Description:

JaCoCo Java Agent

File Path: /mnt/sonarshell/projects/udesk-fever-framework_0.0.3/fever-common/target/dependency/org.jacoco.agent-0.7.9-runtime.jar/META-INF/maven/org.jacoco/org.jacoco.agent.rt/pom.xml
MD5: 4c617355517b3a9d0ff9ddbbfaa6abe9
SHA1: 13374d463bfd0a532384db1651a64d34c2c9e3b5
SHA256:3ba57d0575b693a8d3bd6376e32de00653cd67e6b98119225e4e06cfb238a185

Identifiers

org.jacoco.core-0.7.9.jar

Description:

JaCoCo Core

License:

http://www.eclipse.org/legal/epl-v10.html
File Path: /mnt/sonarshell/projects/udesk-fever-framework_0.0.3/fever-web/target/dependency/org.jacoco.core-0.7.9.jar
MD5: b31bf7ed1a27f2edeac6c525be96079b
SHA1: 66215826a684eb6866d4c14a5a4f9c344f1d1eef
SHA256:f594db9a0da20141857d0f38630e17f5e01fe2d4010290dab44402860d44ffb3

Identifiers

org.jacoco.report-0.7.9.jar

Description:

JaCoCo Report

License:

http://www.eclipse.org/legal/epl-v10.html
File Path: /mnt/sonarshell/projects/udesk-fever-framework_0.0.3/fever-elasticsearch/target/dependency/org.jacoco.report-0.7.9.jar
MD5: 1e8ad08dcf16518d31cb91a8b8fe60ee
SHA1: 8a7f78fdf2a4e58762890d8e896a9298c2980c10
SHA256:8d0be46e1170d205cd243c958be4680a85c8228030365e1846c7f53e6199b8c4

Identifiers

org.jacoco.report-0.7.9.jar: prettify.js

File Path: /mnt/sonarshell/projects/udesk-fever-framework_0.0.3/fever-elasticsearch/target/dependency/org.jacoco.report-0.7.9.jar/org/jacoco/report/internal/html/resources/prettify.js
MD5: ca542347ebfb8350ece6bbc956c219a4
SHA1: 7b53b64816f5eda1b77f8a2830bdb828f8318a90
SHA256:36d605c47018e0360ee889093d97f8976676a48792c8aca09599a04c79ed2cdd

Identifiers

  • None

org.jacoco.report-0.7.9.jar: sort.js

File Path: /mnt/sonarshell/projects/udesk-fever-framework_0.0.3/fever-elasticsearch/target/dependency/org.jacoco.report-0.7.9.jar/org/jacoco/report/internal/html/resources/sort.js
MD5: 7e539dae31978a007458774819294478
SHA1: 87e3613e2cb4ffe8f0ffd903c5974085faffdc5e
SHA256:794d2579d4adb28c3d4ccf9d9b0410ce01d58ff9f8b1956fb8beddc8417b09c0

Identifiers

  • None

oro-2.0.8.jar

File Path: /mnt/sonarshell/projects/udesk-fever-framework_0.0.3/fever-search/target/dependency/oro-2.0.8.jar
MD5: 42e940d5d2d822f4dc04c65053e630ab
SHA1: 5592374f834645c4ae250f4c9fbb314c9369d698
SHA256:e00ccdad5df7eb43fdee44232ef64602bf63807c2d133a7be83ba09fd49af26e

Identifiers

pagehelper-4.1.6.jar

Description:

Mybatis Pagination Plugin

License:

The MIT License (MIT): https://github.com/pagehelper/Mybatis-PageHelper/blob/master/LICENSE
File Path: /mnt/sonarshell/projects/udesk-fever-framework_0.0.3/fever-common/target/dependency/pagehelper-4.1.6.jar
MD5: 65717b86fb5d71757fe6d73d2d5e71ba
SHA1: 48eb74110c115b01f4fe8d184845247eb0d22b0f
SHA256:c162bf2671adf72629c00ee6537b97a181b196d888d936967a494b87cfa41b08

Identifiers

percolator-client-5.2.1.jar

Description:

Percolator module adds capability to index queries and query these queries by specifying documents

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /mnt/sonarshell/projects/udesk-fever-framework_0.0.3/fever-search/target/dependency/percolator-client-5.2.1.jar
MD5: 772c245620afbd9dcc79a88caab76392
SHA1: faadefcc39f4208e3ddc9a8e104de6fec8ccb966
SHA256:5bfa856f53834458f93ee54bc8af5bb9ba1b6b82a274f25a9a6cdc5d1b03b3f7

Identifiers

CVE-2019-7611  

A permission issue was found in Elasticsearch versions before 5.6.15 and 6.6.1 when Field Level Security and Document Level Security are disabled and the _aliases, _shrink, or _split endpoints are used . If the elasticsearch.yml file has xpack.security.dls_fls.enabled set to false, certain permission checks are skipped when users perform one of the actions mentioned above, to make existing data available under a new index/alias name. This could result in an attacker gaining additional permissions against a restricted index.
NVD-CWE-Other

CVSSv2:
  • Base Score: MEDIUM (6.8)
  • Vector: /AV:N/AC:M/Au:N/C:P/I:P/A:P
CVSSv3:
  • Base Score: HIGH (8.1)
  • Vector: /AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2019-7614  

A race condition flaw was found in the response headers Elasticsearch versions before 7.2.1 and 6.8.2 returns to a request. On a system with multiple users submitting requests, it could be possible for an attacker to gain access to response header containing sensitive data from another user.
CWE-362 Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:P/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (5.9)
  • Vector: /AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2020-7019  

In Elasticsearch before 7.9.0 and 6.8.12 a field disclosure flaw was found when running a scrolling search with Field Level Security. If a user runs the same query another more privileged user recently ran, the scrolling search can leak fields that should be hidden. This could result in an attacker gaining additional permissions against a restricted index.
CWE-269 Improper Privilege Management

CVSSv2:
  • Base Score: MEDIUM (4.0)
  • Vector: /AV:N/AC:L/Au:S/C:P/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (6.5)
  • Vector: /AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

References:

Vulnerable Software & Versions: (show all)

plexus-container-default-1.0-alpha-9-stable-1.jar

File Path: /mnt/sonarshell/projects/udesk-fever-framework_0.0.3/fever-mail/target/dependency/plexus-container-default-1.0-alpha-9-stable-1.jar
MD5: 99533a9d3e0fa3280cd0bd3426c5f99b
SHA1: 94aea3010e250a334d9dab7f591114cd6c767458
SHA256:7c758612888782ccfe376823aee7cdcc7e0cdafb097f7ef50295a0b0c3a16edf

Identifiers

plexus-i18n-1.0-beta-7.jar

File Path: /mnt/sonarshell/projects/udesk-fever-framework_0.0.3/fever-sms-http/target/dependency/plexus-i18n-1.0-beta-7.jar
MD5: 65d4f673bd0c49dbc67e020e96b00753
SHA1: 3690f10a668b3c7ac2ef563f14cfb6b2ba30ee57
SHA256:fff07392dc6b29ef90c435ab004671a715f0aa36653e53b44c358eb842ce67d9

Identifiers

plexus-interpolation-1.11.jar

File Path: /mnt/sonarshell/projects/udesk-fever-framework_0.0.3/fever-metrics/target/dependency/plexus-interpolation-1.11.jar
MD5: d5ef768cef9a261d569ff1f672324154
SHA1: ad9dddff6043194904ad1d2c00ff1d003c3915f7
SHA256:fd9507feb858fa620d1b4aa4b7039fdea1a77e09d3fd28cfbddfff468d9d8c28

Identifiers

plexus-utils-3.0.22.jar

Description:

A collection of various utility classes to ease working with strings, files, command lines, XML and
    more.
  

File Path: /mnt/sonarshell/projects/udesk-fever-framework_0.0.3/fever-metrics/target/dependency/plexus-utils-3.0.22.jar
MD5: 2a32677a099da7c5b9b2b39c066f2cc6
SHA1: 764f26e0ab13a87c48fe55f525dfb6a133b7a92f
SHA256:0f31c44b275f87e56d46a582ce96d03b9e2ab344cf87c4e268b34d3ad046beab

Identifiers

Directory traversal in org.codehaus.plexus.util.Expand (OSSINDEX)  

> org.codehaus.plexus.util.Expand does not guard against directory traversal, but such protection is generally expected from unarchiving tools.
> 
> -- [github.com](https://github.com/codehaus-plexus/plexus-utils/issues/4)
Unscored:
  • Severity: Unknown

References:

Vulnerable Software & Versions (OSSINDEX):

  • cpe:2.3:a:org.codehaus.plexus:plexus-utils:3.0.22:*:*:*:*:*:*:*

Possible XML Injection (OSSINDEX)  

> `org.codehaus.plexus.util.xml.XmlWriterUtil#writeComment(XMLWriter, String, int, int, int)` does not check if the comment includes a `"-->"` sequence.  This means that text contained in the command string could be interpreted as XML, possibly leading to XML injection issues, depending on how this method is being called.
> 
> -- [github.com](https://github.com/codehaus-plexus/plexus-utils/issues/3)
Unscored:
  • Severity: Unknown

References:

Vulnerable Software & Versions (OSSINDEX):

  • cpe:2.3:a:org.codehaus.plexus:plexus-utils:3.0.22:*:*:*:*:*:*:*

plexus-velocity-1.1.7.jar

File Path: /mnt/sonarshell/projects/udesk-fever-framework_0.0.3/fever-search/target/dependency/plexus-velocity-1.1.7.jar
MD5: d460d060e07b3bccaf6593440ce7be1e
SHA1: 1440fc2552d1405b1c2d380ef3b96c4d9c6dbd0b
SHA256:1c9c994fbcd31526d451797072d7afb19f9b1962e710f3088f54fd1267b45fae

Identifiers

random-beans-3.5.0.jar

Description:

Random Beans core implementation

License:

MIT License: http://opensource.org/licenses/mit-license.php
File Path: /mnt/sonarshell/projects/udesk-fever-framework_0.0.3/fever-config-center/target/dependency/random-beans-3.5.0.jar
MD5: 7a350b1371506951519a0f045574d566
SHA1: e0081e96a509d2bc7757674633b5ed577640277e
SHA256:067dc8d3c1d1f4d73c17582edbc7a27bdc1fe28254c34de459ac9fa63a795525

Identifiers

reindex-client-5.2.1.jar

Description:

The Reindex module adds APIs to reindex from one index to another or update documents in place.

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /mnt/sonarshell/projects/udesk-fever-framework_0.0.3/fever-batch/target/dependency/reindex-client-5.2.1.jar
MD5: d3407859a638305a672ee9914f4ddb97
SHA1: 0e94b21f6a1c51528d2f7ae92aad27f05748ccd9
SHA256:32df0f6978b7ba37fb012ef56d5fc0573522177f45abad003320636d47c1a80b

Identifiers

CVE-2019-7611  

A permission issue was found in Elasticsearch versions before 5.6.15 and 6.6.1 when Field Level Security and Document Level Security are disabled and the _aliases, _shrink, or _split endpoints are used . If the elasticsearch.yml file has xpack.security.dls_fls.enabled set to false, certain permission checks are skipped when users perform one of the actions mentioned above, to make existing data available under a new index/alias name. This could result in an attacker gaining additional permissions against a restricted index.
NVD-CWE-Other

CVSSv2:
  • Base Score: MEDIUM (6.8)
  • Vector: /AV:N/AC:M/Au:N/C:P/I:P/A:P
CVSSv3:
  • Base Score: HIGH (8.1)
  • Vector: /AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2019-7614  

A race condition flaw was found in the response headers Elasticsearch versions before 7.2.1 and 6.8.2 returns to a request. On a system with multiple users submitting requests, it could be possible for an attacker to gain access to response header containing sensitive data from another user.
CWE-362 Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:P/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (5.9)
  • Vector: /AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2020-7019  

In Elasticsearch before 7.9.0 and 6.8.12 a field disclosure flaw was found when running a scrolling search with Field Level Security. If a user runs the same query another more privileged user recently ran, the scrolling search can leak fields that should be hidden. This could result in an attacker gaining additional permissions against a restricted index.
CWE-269 Improper Privilege Management

CVSSv2:
  • Base Score: MEDIUM (4.0)
  • Vector: /AV:N/AC:L/Au:S/C:P/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (6.5)
  • Vector: /AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

References:

Vulnerable Software & Versions: (show all)

rest-5.2.1.jar

Description:

Elasticsearch subproject :client:rest

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /mnt/sonarshell/projects/udesk-fever-framework_0.0.3/fever-elasticsearch/target/dependency/rest-5.2.1.jar
MD5: 245a58c0103d2e3c53886cb29cf2273c
SHA1: e1792b0a249339fd4000820712f486a83cae3405
SHA256:90d4d2df6009c1b9b23b4d2ce0e1f688dae79b8a1f7ada572d4ae2db9775e84b

Identifiers

CVE-2019-7611  

A permission issue was found in Elasticsearch versions before 5.6.15 and 6.6.1 when Field Level Security and Document Level Security are disabled and the _aliases, _shrink, or _split endpoints are used . If the elasticsearch.yml file has xpack.security.dls_fls.enabled set to false, certain permission checks are skipped when users perform one of the actions mentioned above, to make existing data available under a new index/alias name. This could result in an attacker gaining additional permissions against a restricted index.
NVD-CWE-Other

CVSSv2:
  • Base Score: MEDIUM (6.8)
  • Vector: /AV:N/AC:M/Au:N/C:P/I:P/A:P
CVSSv3:
  • Base Score: HIGH (8.1)
  • Vector: /AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2019-7614  

A race condition flaw was found in the response headers Elasticsearch versions before 7.2.1 and 6.8.2 returns to a request. On a system with multiple users submitting requests, it could be possible for an attacker to gain access to response header containing sensitive data from another user.
CWE-362 Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:P/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (5.9)
  • Vector: /AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2020-7019  

In Elasticsearch before 7.9.0 and 6.8.12 a field disclosure flaw was found when running a scrolling search with Field Level Security. If a user runs the same query another more privileged user recently ran, the scrolling search can leak fields that should be hidden. This could result in an attacker gaining additional permissions against a restricted index.
CWE-269 Improper Privilege Management

CVSSv2:
  • Base Score: MEDIUM (4.0)
  • Vector: /AV:N/AC:L/Au:S/C:P/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (6.5)
  • Vector: /AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

References:

Vulnerable Software & Versions: (show all)

rhino-1.7R4.jar

Description:

Rhino is an open-source implementation of JavaScript written entirely in Java. It is typically embedded into Java applications to provide scripting to end users.

License:

Mozilla Public License, Version 2.0: http://www.mozilla.org/MPL/2.0/index.txt
File Path: /mnt/sonarshell/projects/udesk-fever-framework_0.0.3/fever-web/target/dependency/rhino-1.7R4.jar
MD5: 3850097fb5c9aa1065cc198f1b82dcf1
SHA1: e982f2136574b9a423186fbaeaaa98dc3e5a5288
SHA256:eb4cbd05a48ee4448825da229e94115e68adc6c5638d29022914e1178c60a6c4

Identifiers

rxjava-1.2.0.jar

Description:

rxjava

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /mnt/sonarshell/projects/udesk-fever-framework_0.0.3/fever-metrics/target/dependency/rxjava-1.2.0.jar
MD5: e537191fbc9b7147a3254ce5a77e71dd
SHA1: 42bfaf64c94f3848ebf5cf1c2ea4ec9d1b3ac6c8
SHA256:2b6c36c1d46d9aeccc0408cb8d37d8e1338d80065d0ace26768d1eddce619670

Identifiers

securesm-1.1.jar

Description:

SecurityManager implementation that works around design flaws in Java

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /mnt/sonarshell/projects/udesk-fever-framework_0.0.3/fever-search/target/dependency/securesm-1.1.jar
MD5: 2ce8857836ff479756cf0cccd3f1fddf
SHA1: 1e423447d020041534be94c0f31a49fbdc1f2950
SHA256:804330562c1cd2efc7fb2cfa3a5cfba6c308ee47664b1397da9d01f89d8a0d7c

Identifiers

servo-core-0.7.2.jar

Description:

servo-core developed by Netflix

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /mnt/sonarshell/projects/udesk-fever-framework_0.0.3/fever-metrics/target/dependency/servo-core-0.7.2.jar
MD5: dbd860da12d88bd2d18c6a20d250cae4
SHA1: b940f73ac9ddb440b79e801c8b936228dc0cc142
SHA256:85009706a37dba8e1744a6e6cb7d63aea4fb8fa65f8b754c0952a1140762e568

Identifiers

shiro-core-1.6.0.jar

Description:

Apache Shiro is a powerful and flexible open-source security framework that cleanly handles        authentication, authorization, enterprise session management, single sign-on and cryptography services.

License:

https://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /mnt/sonarshell/projects/udesk-fever-framework_0.0.3/fever-common/target/dependency/shiro-core-1.6.0.jar
MD5: de58c19080f89f3706ed26f78e2de0cd
SHA1: 6e53a0909f278989300996d529b129b23bae4752
SHA256:2370d47faf2d2fff381e4ed5c60fa78b6dd9f0e372fb1f00cb03ddbdcaed2672

Identifiers

simpleclient-0.5.0.jar

Description:

        Core instrumentation library for the simpleclient.
    

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /mnt/sonarshell/projects/udesk-fever-framework_0.0.3/fever-config-center/target/dependency/simpleclient-0.5.0.jar
MD5: 5ab0820156188bb24f211ac2319d9e5d
SHA1: fbbfe2300098798e3d23f93b7b14befeceacf512
SHA256:68e20a01ec974f382553b763f58594416c3c652b7067d8aeccf1a5ea6c8b1d0d

Identifiers

slf4j-api-1.7.24.jar

Description:

The slf4j API

File Path: /mnt/sonarshell/projects/udesk-fever-framework_0.0.3/fever-mail/target/dependency/slf4j-api-1.7.24.jar
MD5: d18638036e314cdd66f04e2d248b7df9
SHA1: 3f6b4bd4f8dbe8d4bea06d107a3826469b85c3e9
SHA256:baf3c7fe15fefeaf9e5b000d94547379dc48370f22a8797e239c127e7d7756ec

Identifiers

slf4j-ext-1.6.3.jar

Description:

Extensions to the SLF4J API

File Path: /mnt/sonarshell/projects/udesk-fever-framework_0.0.3/fever-web/target/dependency/slf4j-ext-1.6.3.jar
MD5: 63e5735b6af6c5b018b1ac78f30ef09c
SHA1: 5cd0f7bfbdefbb18bec7b6f152c9952795c0921b
SHA256:b40a8c26ab766d2be2d0ec79df730fd77e414f09e706741318d0dea6252dafee

Identifiers

CVE-2018-8088  

org.slf4j.ext.EventData in the slf4j-ext module in QOS.CH SLF4J before 1.8.0-beta2 allows remote attackers to bypass intended access restrictions via crafted data.
CWE-502 Deserialization of Untrusted Data

CVSSv2:
  • Base Score: HIGH (7.5)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: /AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

snakeyaml-1.17.jar

Description:

YAML 1.1 parser and emitter for Java

License:

Apache License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /mnt/sonarshell/projects/udesk-fever-framework_0.0.3/fever-mail/target/dependency/snakeyaml-1.17.jar
MD5: ab621c3cee316236ad04a6f0fe4dd17c
SHA1: 7a27ea250c5130b2922b86dea63cbb1cc10a660c
SHA256:5666b36f9db46f06dd5a19d73bbff3b588d5969c0f4b8848fde0f5ec849430a5

Identifiers

CVE-2017-18640  

The Alias feature in SnakeYAML 1.18 allows entity expansion during a load operation, a related issue to CVE-2003-1564.
CWE-776 Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:P
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: /AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions:

spring-aspects-4.3.7.RELEASE.jar

Description:

Spring Aspects

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /mnt/sonarshell/projects/udesk-fever-framework_0.0.3/fever-web/target/dependency/spring-aspects-4.3.7.RELEASE.jar
MD5: 52cc06bd15aeb716d7d493b642b8b0e9
SHA1: fa0671826a42f6bac5145ffbc78075493dcb4e8b
SHA256:4e2fa55685042380fd46df5a8e0b445471398bd4366e5074ab56d651220c618b

Identifiers

CVE-2018-11039  

Spring Framework (versions 5.0.x prior to 5.0.7, versions 4.3.x prior to 4.3.18, and older unsupported versions) allow web applications to change the HTTP request method to any HTTP method (including TRACE) using the HiddenHttpMethodFilter in Spring MVC. If an application has a pre-existing XSS vulnerability, a malicious user (or attacker) can use this filter to escalate to an XST (Cross Site Tracing) attack.
NVD-CWE-noinfo

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:P/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (5.9)
  • Vector: /AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2018-11040  

Spring Framework, versions 5.0.x prior to 5.0.7 and 4.3.x prior to 4.3.18 and older unsupported versions, allows web applications to enable cross-domain requests via JSONP (JSON with Padding) through AbstractJsonpResponseBodyAdvice for REST controllers and MappingJackson2JsonView for browser requests. Both are not enabled by default in Spring Framework nor Spring Boot, however, when MappingJackson2JsonView is configured in an application, JSONP support is automatically ready to use through the "jsonp" and "callback" JSONP parameters, enabling cross-domain requests.
CWE-829 Inclusion of Functionality from Untrusted Control Sphere

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:P/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (5.9)
  • Vector: /AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2018-1199  

Spring Security (Spring Security 4.1.x before 4.1.5, 4.2.x before 4.2.4, and 5.0.x before 5.0.1; and Spring Framework 4.3.x before 4.3.14 and 5.0.x before 5.0.3) does not consider URL path parameters when processing security constraints. By adding a URL path parameter with special encodings, an attacker may be able to bypass a security constraint. The root cause of this issue is a lack of clarity regarding the handling of path parameters in the Servlet Specification. Some Servlet containers include path parameters in the value returned for getPathInfo() and some do not. Spring Security uses the value returned by getPathInfo() as part of the process of mapping requests to security constraints. In this particular attack, different character encodings used in path parameters allows secured Spring MVC static resource URLs to be bypassed.
CWE-20 Improper Input Validation

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (5.3)
  • Vector: /AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2018-1257  

Spring Framework, versions 5.0.x prior to 5.0.6, versions 4.3.x prior to 4.3.17, and older unsupported versions allows applications to expose STOMP over WebSocket endpoints with a simple, in-memory STOMP broker through the spring-messaging module. A malicious user (or attacker) can craft a message to the broker that can lead to a regular expression, denial of service attack.
NVD-CWE-noinfo

CVSSv2:
  • Base Score: MEDIUM (4.0)
  • Vector: /AV:N/AC:L/Au:S/C:N/I:N/A:P
CVSSv3:
  • Base Score: MEDIUM (6.5)
  • Vector: /AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2018-1270  

Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, allow applications to expose STOMP over WebSocket endpoints with a simple, in-memory STOMP broker through the spring-messaging module. A malicious user (or attacker) can craft a message to the broker that can lead to a remote code execution attack.
CWE-358 Improperly Implemented Security Check for Standard

CVSSv2:
  • Base Score: HIGH (7.5)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: /AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2018-1271  

Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, allow applications to configure Spring MVC to serve static resources (e.g. CSS, JS, images). When static resources are served from a file system on Windows (as opposed to the classpath, or the ServletContext), a malicious user can send a request using a specially crafted URL that can lead a directory traversal attack.
CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:P/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (5.9)
  • Vector: /AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2018-1272  

Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, provide client-side support for multipart requests. When Spring MVC or Spring WebFlux server application (server A) receives input from a remote client, and then uses that input to make a multipart request to another server (server B), it can be exposed to an attack, where an extra multipart is inserted in the content of the request from server A, causing server B to use the wrong value for a part it expects. This could to lead privilege escalation, for example, if the part content represents a username or user roles.
NVD-CWE-noinfo

CVSSv2:
  • Base Score: MEDIUM (6.0)
  • Vector: /AV:N/AC:M/Au:S/C:P/I:P/A:P
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: /AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2018-1275  

Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.16 and older unsupported versions, allow applications to expose STOMP over WebSocket endpoints with a simple, in-memory STOMP broker through the spring-messaging module. A malicious user (or attacker) can craft a message to the broker that can lead to a remote code execution attack. This CVE addresses the partial fix for CVE-2018-1270 in the 4.3.x branch of the Spring Framework.
CWE-358 Improperly Implemented Security Check for Standard

CVSSv2:
  • Base Score: HIGH (7.5)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: /AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2018-15756  

Spring Framework, version 5.1, versions 5.0.x prior to 5.0.10, versions 4.3.x prior to 4.3.20, and older unsupported versions on the 4.2.x branch provide support for range requests when serving static resources through the ResourceHttpRequestHandler, or starting in 5.0 when an annotated controller returns an org.springframework.core.io.Resource. A malicious user (or attacker) can add a range header with a high number of ranges, or with wide ranges that overlap, or both, for a denial of service attack. This vulnerability affects applications that depend on either spring-webmvc or spring-webflux. Such applications must also have a registration for serving static resources (e.g. JS, CSS, images, and others), or have an annotated controller that returns an org.springframework.core.io.Resource. Spring Boot applications that depend on spring-boot-starter-web or spring-boot-starter-webflux are ready to serve static resources out of the box and are therefore vulnerable.
NVD-CWE-noinfo

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:P
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: /AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2020-5421  

In Spring Framework versions 5.2.0 - 5.2.8, 5.1.0 - 5.1.17, 5.0.0 - 5.0.18, 4.3.0 - 4.3.28, and older unsupported versions, the protections against RFD attacks from CVE-2015-5211 may be bypassed depending on the browser used through the use of a jsessionid path parameter.
NVD-CWE-noinfo

CVSSv2:
  • Base Score: LOW (3.6)
  • Vector: /AV:N/AC:H/Au:S/C:P/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (6.5)
  • Vector: /AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:H/A:N

References:

Vulnerable Software & Versions: (show all)

spring-auto-restdocs-core-1.0.7.jar

Description:

Spring Auto REST Docs is an extension to Spring REST Docs

File Path: /mnt/sonarshell/projects/udesk-fever-framework_0.0.3/fever-web/target/dependency/spring-auto-restdocs-core-1.0.7.jar
MD5: 36727e808ab84682a3afb312320687d2
SHA1: 539fdf7691b60155292b989ce3e1df254c8d9cb3
SHA256:597dc9ffef317ffdc891fd9ba709958fcb8e97dba56b4bb09f576bc1386d2d7b

Identifiers

spring-batch-core-3.0.7.RELEASE.jar

Description:

Spring Batch Core

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /mnt/sonarshell/projects/udesk-fever-framework_0.0.3/fever-batch/target/dependency/spring-batch-core-3.0.7.RELEASE.jar
MD5: 9ed0b6ea0e143bd92f85c0f7caba7458
SHA1: b736f8c14550cdb1440e28bb6aa690a387a7aa57
SHA256:c77e58e893e007d9512e547431127c0c7555bc5c84f93cf1d76c34254dc0ad6a

Identifiers

CVE-2019-3774  

Spring Batch versions 3.0.9, 4.0.1, 4.1.0, and older unsupported versions, were susceptible to XML External Entity Injection (XXE) when receiving XML data from untrusted sources.
CWE-611 Improper Restriction of XML External Entity Reference ('XXE')

CVSSv2:
  • Base Score: HIGH (7.5)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: /AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

spring-boot-1.5.2.RELEASE.jar

Description:

Spring Boot

File Path: /mnt/sonarshell/projects/udesk-fever-framework_0.0.3/fever-web/target/dependency/spring-boot-1.5.2.RELEASE.jar
MD5: b1079a44277b381c3a5920272d230964
SHA1: 46bb5d8c9ab5d3ef9e158ca5906ee7d3569befc1
SHA256:874ee5ee641928c3f6b16b7d11052a1f3a5d372db5bfa4673eb854f0c8b26c1a

Identifiers

CVE-2017-8046  

Malicious PATCH requests submitted to servers using Spring Data REST versions prior to 2.6.9 (Ingalls SR9), versions prior to 3.0.1 (Kay SR1) and Spring Boot versions prior to 1.5.9, 2.0 M6 can use specially crafted JSON data to run arbitrary Java code.
CWE-20 Improper Input Validation

CVSSv2:
  • Base Score: HIGH (7.5)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: /AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2018-1196  

Spring Boot supports an embedded launch script that can be used to easily run the application as a systemd or init.d linux service. The script included with Spring Boot 1.5.9 and earlier and 2.0.0.M1 through 2.0.0.M7 is susceptible to a symlink attack which allows the "run_user" to overwrite and take ownership of any file on the same system. In order to instigate the attack, the application must be installed as a service and the "run_user" requires shell access to the server. Spring Boot application that are not installed as a service, or are not using the embedded launch script are not susceptible.
CWE-59 Improper Link Resolution Before File Access ('Link Following')

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:N/I:N/A:N
CVSSv3:
  • Base Score: MEDIUM (5.9)
  • Vector: /AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

References:

Vulnerable Software & Versions: (show all)

spring-boot-admin-server-1.5.0.jar

File Path: /mnt/sonarshell/projects/udesk-fever-framework_0.0.3/fever-metrics/target/dependency/spring-boot-admin-server-1.5.0.jar
MD5: 3ec68814132c9c0ae8d4f95eafd7ca9d
SHA1: 335560901d165a421f385ce7984e47b918bbefd6
SHA256:3f3fca2b92b9b6e1e662ba7887803743bfc1eb6e7c487003cac73c94e58a98d9

Identifiers

CVE-2016-9878  

An issue was discovered in Pivotal Spring Framework before 3.2.18, 4.2.x before 4.2.9, and 4.3.x before 4.3.5. Paths provided to the ResourceServlet were not properly sanitized and as a result exposed to directory traversal attacks.
CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:N
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: /AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2017-8046  

Malicious PATCH requests submitted to servers using Spring Data REST versions prior to 2.6.9 (Ingalls SR9), versions prior to 3.0.1 (Kay SR1) and Spring Boot versions prior to 1.5.9, 2.0 M6 can use specially crafted JSON data to run arbitrary Java code.
CWE-20 Improper Input Validation

CVSSv2:
  • Base Score: HIGH (7.5)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: /AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2018-1196  

Spring Boot supports an embedded launch script that can be used to easily run the application as a systemd or init.d linux service. The script included with Spring Boot 1.5.9 and earlier and 2.0.0.M1 through 2.0.0.M7 is susceptible to a symlink attack which allows the "run_user" to overwrite and take ownership of any file on the same system. In order to instigate the attack, the application must be installed as a service and the "run_user" requires shell access to the server. Spring Boot application that are not installed as a service, or are not using the embedded launch script are not susceptible.
CWE-59 Improper Link Resolution Before File Access ('Link Following')

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:N/I:N/A:N
CVSSv3:
  • Base Score: MEDIUM (5.9)
  • Vector: /AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2018-1270  

Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, allow applications to expose STOMP over WebSocket endpoints with a simple, in-memory STOMP broker through the spring-messaging module. A malicious user (or attacker) can craft a message to the broker that can lead to a remote code execution attack.
CWE-358 Improperly Implemented Security Check for Standard

CVSSv2:
  • Base Score: HIGH (7.5)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: /AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2018-1271  

Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, allow applications to configure Spring MVC to serve static resources (e.g. CSS, JS, images). When static resources are served from a file system on Windows (as opposed to the classpath, or the ServletContext), a malicious user can send a request using a specially crafted URL that can lead a directory traversal attack.
CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:P/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (5.9)
  • Vector: /AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2018-1272  

Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, provide client-side support for multipart requests. When Spring MVC or Spring WebFlux server application (server A) receives input from a remote client, and then uses that input to make a multipart request to another server (server B), it can be exposed to an attack, where an extra multipart is inserted in the content of the request from server A, causing server B to use the wrong value for a part it expects. This could to lead privilege escalation, for example, if the part content represents a username or user roles.
NVD-CWE-noinfo

CVSSv2:
  • Base Score: MEDIUM (6.0)
  • Vector: /AV:N/AC:M/Au:S/C:P/I:P/A:P
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: /AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2020-5421  

In Spring Framework versions 5.2.0 - 5.2.8, 5.1.0 - 5.1.17, 5.0.0 - 5.0.18, 4.3.0 - 4.3.28, and older unsupported versions, the protections against RFD attacks from CVE-2015-5211 may be bypassed depending on the browser used through the use of a jsessionid path parameter.
NVD-CWE-noinfo

CVSSv2:
  • Base Score: LOW (3.6)
  • Vector: /AV:N/AC:H/Au:S/C:P/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (6.5)
  • Vector: /AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:H/A:N

References:

Vulnerable Software & Versions: (show all)

spring-boot-admin-server-ui-1.5.0.jar: core.js

File Path: /mnt/sonarshell/projects/udesk-fever-framework_0.0.3/fever-metrics/target/dependency/spring-boot-admin-server-ui-1.5.0.jar/META-INF/spring-boot-admin-server-ui/core.js
MD5: 96dde17482723b7dfbe80e9d2934cce1
SHA1: a21d82734be96e8a862ef52f31a1c0b4750b8c3e
SHA256:62433993ec0ab7e683be402eef5dd8432b2780006073f34c103b09b327dbabd3

Identifiers

  • None

spring-boot-admin-server-ui-1.5.0.jar: dependencies.js

File Path: /mnt/sonarshell/projects/udesk-fever-framework_0.0.3/fever-metrics/target/dependency/spring-boot-admin-server-ui-1.5.0.jar/META-INF/spring-boot-admin-server-ui/dependencies.js
MD5: 57168e7802abcbc877c6ac858efecdce
SHA1: e910e3a889e3a59154cc383be465f7aca7a21b8e
SHA256:405c6275a1aedf0c9da5ee6e350c6417c2cf1d9ea34cfc0772933d6da46d9e14

Identifiers

CVE-2019-11358  

jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable __proto__ property, it could extend the native Object.prototype.
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:N/I:N/A:N
CVSSv3:
  • Base Score: MEDIUM (6.1)
  • Vector: /AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References:

Vulnerable Software & Versions (NVD):

  • cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:* versions from (including) 8.5.0; versions up to (excluding) 8.5.15
  • cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:* versions from (including) 7.0; versions up to (excluding) 7.66
  • cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:* versions from (including) 8.6.0; versions up to (excluding) 8.6.15
  • cpe:2.3:a:jquery:jquery:*:*:*:*:*:*:*:* versions up to (excluding) 3.4.0
  • cpe:2.3:a:backdropcms:backdrop:*:*:*:*:*:*:*:* versions from (including) 1.12.0; versions up to (excluding) 1.12.6
  • cpe:2.3:a:backdropcms:backdrop:*:*:*:*:*:*:*:* versions from (including) 1.11.0; versions up to (excluding) 1.11.9

CVE-2020-11022  

In jQuery versions greater than or equal to 1.2 and before 3.5.0, passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:N/I:N/A:N
CVSSv3:
  • Base Score: MEDIUM (6.1)
  • Vector: /AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References:

Vulnerable Software & Versions (NVD):

  • cpe:2.3:a:jquery:jquery:*:*:*:*:*:*:*:* versions from (including) 1.2; versions up to (excluding) 3.5.0

CVE-2020-11023  

In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing HTML containing <option> elements from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:N/I:N/A:N
CVSSv3:
  • Base Score: MEDIUM (6.1)
  • Vector: /AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References:

Vulnerable Software & Versions (NVD):

  • cpe:2.3:a:jquery:jquery:*:*:*:*:*:*:*:* versions from (including) 1.0.3; versions up to (excluding) 3.5.0

CVE-2020-7676  

angular.js prior to 1.8.0 allows cross site scripting. The regex-based input HTML replacement may turn sanitized code into unsanitized one. Wrapping "<option>" elements in "<select>" ones changes parsing behavior, leading to possibly unsanitizing code.
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv2:
  • Base Score: LOW (3.5)
  • Vector: /AV:N/AC:M/Au:S/C:N/I:N/A:N
CVSSv3:
  • Base Score: MEDIUM (5.4)
  • Vector: /AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

References:

Vulnerable Software & Versions (NVD):

  • cpe:2.3:a:angularjs:angular.js:*:*:*:*:*:*:*:* versions up to (excluding) 1.8.0

DOS in $sanitize (RETIREJS)  

DOS in $sanitize
Unscored:
  • Severity: medium

References:

Prototype pollution (RETIREJS)  

Prototype pollution
Unscored:
  • Severity: medium

References:

Universal CSP bypass via add-on in Firefox (RETIREJS)  

Universal CSP bypass via add-on in Firefox
Unscored:
  • Severity: medium

References:

XSS in $sanitize in Safari/Firefox (RETIREJS)  

XSS in $sanitize in Safari/Firefox
Unscored:
  • Severity: low

References:

XSS through SVG if enableSvg is set (RETIREJS)  

XSS through SVG if enableSvg is set
Unscored:
  • Severity: low

References:

spring-boot-admin-server-ui-1.5.0.jar: module.js

File Path: /mnt/sonarshell/projects/udesk-fever-framework_0.0.3/fever-metrics/target/dependency/spring-boot-admin-server-ui-1.5.0.jar/META-INF/spring-boot-admin-server-ui/applications-metrics/module.js
MD5: 3dfed111f541deff8778f4edc81157a2
SHA1: 65808785ba132115a3442984aad9b4d25eaae0f0
SHA256:7f42364ab031a1aafe6dc8103f721d4f65ff80dbb1af1a21aed6e5beeea2c82e

Identifiers

  • None

spring-boot-admin-server-ui-1.5.0.jar: module.js

File Path: /mnt/sonarshell/projects/udesk-fever-framework_0.0.3/fever-metrics/target/dependency/spring-boot-admin-server-ui-1.5.0.jar/META-INF/spring-boot-admin-server-ui/applications-trace/module.js
MD5: 700d4a0db3c2e404b98d9049404c811e
SHA1: bb0883bec2292600c92fc605c251f80fcef10cde
SHA256:4af4983c2eb3919dfbe21e27257fd2917fda5be30b8e897053678028f0cfb8e3

Identifiers

  • None

spring-boot-admin-server-ui-1.5.0.jar: module.js

File Path: /mnt/sonarshell/projects/udesk-fever-framework_0.0.3/fever-metrics/target/dependency/spring-boot-admin-server-ui-1.5.0.jar/META-INF/spring-boot-admin-server-ui/events/module.js
MD5: bedbae08ee36438554e8d20144b68ee6
SHA1: e97cf28980353d102fb3da150fc33b3632bd9e21
SHA256:833db3379e112bff225255e20279d3d12f4505c2455e47b5ab8ce091f04d2d27

Identifiers

  • None

spring-boot-admin-server-ui-1.5.0.jar: module.js

File Path: /mnt/sonarshell/projects/udesk-fever-framework_0.0.3/fever-metrics/target/dependency/spring-boot-admin-server-ui-1.5.0.jar/META-INF/spring-boot-admin-server-ui/applications-liquibase/module.js
MD5: 6c8d5f2a780cc1eeda536aef944dea0c
SHA1: 5756c0e9e99a4cf3b08744b04e4137f1c970de76
SHA256:2420421f03b22b02e5b144f2c8f23cce0a2698249e81e531c7f63dc2b2bc82c4

Identifiers

  • None

spring-boot-admin-server-ui-1.5.0.jar: module.js

File Path: /mnt/sonarshell/projects/udesk-fever-framework_0.0.3/fever-metrics/target/dependency/spring-boot-admin-server-ui-1.5.0.jar/META-INF/spring-boot-admin-server-ui/applications-details/module.js
MD5: 5a4b11c123bf7a3388387b8cb6b6a5e2
SHA1: bfba738c135f85853046e3a75856c1bc47bc0863
SHA256:53a3d537df82d9c522a7255df4b602f895566e1774ec0844634e88315c1fe1f9

Identifiers

  • None

spring-boot-admin-server-ui-1.5.0.jar: module.js

File Path: /mnt/sonarshell/projects/udesk-fever-framework_0.0.3/fever-metrics/target/dependency/spring-boot-admin-server-ui-1.5.0.jar/META-INF/spring-boot-admin-server-ui/applications-environment/module.js
MD5: 6cf90e43671d4205e1c137fa809be7e4
SHA1: 2b526c16cf8f752e226f6c85f3f3c3dc08aa12ca
SHA256:4a2ed033daea41572f0814f5a9a8f2662067f09d55a50acf7b01bdcebeac797f

Identifiers

  • None

spring-boot-admin-server-ui-1.5.0.jar: module.js

File Path: /mnt/sonarshell/projects/udesk-fever-framework_0.0.3/fever-metrics/target/dependency/spring-boot-admin-server-ui-1.5.0.jar/META-INF/spring-boot-admin-server-ui/about/module.js
MD5: 732522411bf2c6f20f2be4595d25c2b8
SHA1: 4a27a41e756b0a1dc4d7ac17d10e2cd24d13ea24
SHA256:46aa86818e704f4b8d5a03e4eb42340c5af5b62ca66bbc7e789da72f5f41fb57

Identifiers

  • None

spring-boot-admin-server-ui-1.5.0.jar: module.js

File Path: /mnt/sonarshell/projects/udesk-fever-framework_0.0.3/fever-metrics/target/dependency/spring-boot-admin-server-ui-1.5.0.jar/META-INF/spring-boot-admin-server-ui/applications-auditevents/module.js
MD5: 68d5c314d20fa902dd6b5d489fd363b4
SHA1: 6957d01f05a38e2d389a44b05c014c3a8e782102
SHA256:2c1837205b65e40fe4771fb1eb4641e5cb68f1a3b929d0247c2e509dcac8090a

Identifiers

  • None

spring-boot-admin-server-ui-1.5.0.jar: module.js

File Path: /mnt/sonarshell/projects/udesk-fever-framework_0.0.3/fever-metrics/target/dependency/spring-boot-admin-server-ui-1.5.0.jar/META-INF/spring-boot-admin-server-ui/applications-flyway/module.js
MD5: 64ef419a8d9f9245b95eae0b2ebf6323
SHA1: f2b968b3724202ea3c7c3e64cea03bc89efcb791
SHA256:9d9e61aef9506b6296bf1f09e5607a3b38a550c6415e4894414b322863c6e9a8

Identifiers

  • None

spring-boot-admin-server-ui-1.5.0.jar: module.js

File Path: /mnt/sonarshell/projects/udesk-fever-framework_0.0.3/fever-metrics/target/dependency/spring-boot-admin-server-ui-1.5.0.jar/META-INF/spring-boot-admin-server-ui/applications-logfile/module.js
MD5: 76309f004e3525a8a31642fb6208a7ae
SHA1: e646f53d18e4ea8f236d7030ced3cc18ecd060ed
SHA256:8cb316e6a7600ccc411ad2c18a82014f2292d53a103772997d8ea2a41f6d41fc

Identifiers

  • None

spring-boot-admin-server-ui-1.5.0.jar: module.js

File Path: /mnt/sonarshell/projects/udesk-fever-framework_0.0.3/fever-metrics/target/dependency/spring-boot-admin-server-ui-1.5.0.jar/META-INF/spring-boot-admin-server-ui/applications-threads/module.js
MD5: ed2dff1e0dd9e9b97105f03cf7fd2fe0
SHA1: 44091c2611cff43373bf19d71e773f3d162b7486
SHA256:bb812f2dbbf016aa246ac85171cef9368a0c188514115dcb594f97442b441f75

Identifiers

  • None

spring-boot-admin-server-ui-1.5.0.jar: module.js

File Path: /mnt/sonarshell/projects/udesk-fever-framework_0.0.3/fever-metrics/target/dependency/spring-boot-admin-server-ui-1.5.0.jar/META-INF/spring-boot-admin-server-ui/applications-logging/module.js
MD5: 8e327853da45abf9bfde678b912406f4
SHA1: 4767a178806ce9e463c8e5c27303672dcedeb34d
SHA256:e4997774d8425065dd2df1197f278e37c9afe2887c71e65bc7aeab312420e748

Identifiers

  • None

spring-boot-admin-server-ui-1.5.0.jar: module.js

File Path: /mnt/sonarshell/projects/udesk-fever-framework_0.0.3/fever-metrics/target/dependency/spring-boot-admin-server-ui-1.5.0.jar/META-INF/spring-boot-admin-server-ui/applications-heapdump/module.js
MD5: 0d3a43e927437df65c93bc2ad64da973
SHA1: de96f27425d1d6d159b80f8d51b2c41d176ad414
SHA256:95255fb8c09a3748373f7e68864b39f3128c831f6e1af78eaf4443aed74db164

Identifiers

  • None

spring-boot-admin-server-ui-1.5.0.jar: module.js

File Path: /mnt/sonarshell/projects/udesk-fever-framework_0.0.3/fever-metrics/target/dependency/spring-boot-admin-server-ui-1.5.0.jar/META-INF/spring-boot-admin-server-ui/applications/module.js
MD5: 65ed48d947efa63f94d74be0dc9c8454
SHA1: 27841a2e01f497ee8995e15b46c061a59f5fe6da
SHA256:28cfb0af245ad53db11321479e648958d4c9654b252b5613f3eb637a9bee607d

Identifiers

  • None

spring-boot-admin-server-ui-1.5.0.jar: module.js

File Path: /mnt/sonarshell/projects/udesk-fever-framework_0.0.3/fever-metrics/target/dependency/spring-boot-admin-server-ui-1.5.0.jar/META-INF/spring-boot-admin-server-ui/applications-jmx/module.js
MD5: 05548333e18eafc29e421fd69f89991a
SHA1: 3973dc98bf616677565076dcaded0c7517cdab77
SHA256:a904d442f3b0e3ff11c11285d59b3ca2c72362d15e360a89dd240cfd34de67b0

Identifiers

  • None

spring-boot-starter-batch-1.5.2.RELEASE.jar

Description:

Starter for using Spring Batch

File Path: /mnt/sonarshell/projects/udesk-fever-framework_0.0.3/fever-batch/target/dependency/spring-boot-starter-batch-1.5.2.RELEASE.jar
MD5: 44baab849d95313526250cb5fc32a4e2
SHA1: c5fbf797c20d3c9e618ce1022b4437b0eda5bc93
SHA256:a95dd5224a9a666ee4e1ab2f186787c0faa595a42ee7ac96ff0a8d1e00283bdf

Identifiers

CVE-2017-8046  

Malicious PATCH requests submitted to servers using Spring Data REST versions prior to 2.6.9 (Ingalls SR9), versions prior to 3.0.1 (Kay SR1) and Spring Boot versions prior to 1.5.9, 2.0 M6 can use specially crafted JSON data to run arbitrary Java code.
CWE-20 Improper Input Validation

CVSSv2:
  • Base Score: HIGH (7.5)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: /AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2018-1196  

Spring Boot supports an embedded launch script that can be used to easily run the application as a systemd or init.d linux service. The script included with Spring Boot 1.5.9 and earlier and 2.0.0.M1 through 2.0.0.M7 is susceptible to a symlink attack which allows the "run_user" to overwrite and take ownership of any file on the same system. In order to instigate the attack, the application must be installed as a service and the "run_user" requires shell access to the server. Spring Boot application that are not installed as a service, or are not using the embedded launch script are not susceptible.
CWE-59 Improper Link Resolution Before File Access ('Link Following')

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:N/I:N/A:N
CVSSv3:
  • Base Score: MEDIUM (5.9)
  • Vector: /AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2019-3774  

Spring Batch versions 3.0.9, 4.0.1, 4.1.0, and older unsupported versions, were susceptible to XML External Entity Injection (XXE) when receiving XML data from untrusted sources.
CWE-611 Improper Restriction of XML External Entity Reference ('XXE')

CVSSv2:
  • Base Score: HIGH (7.5)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: /AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

spring-boot-starter-data-redis-1.5.2.RELEASE.jar

Description:

Starter for using Redis key-value data store with Spring Data Redis and
		the Jedis client

File Path: /mnt/sonarshell/projects/udesk-fever-framework_0.0.3/fever-shiro-redis/target/dependency/spring-boot-starter-data-redis-1.5.2.RELEASE.jar
MD5: d90ac6cea8dcaf55826cb85648307cd7
SHA1: 6b4c950f0ea2e9ccd822c7730a9ce4320416183d
SHA256:309db515f55fd2651931929aaf743f01a30745cc30cfc50172cec2be32767a88

Identifiers

CVE-2017-8046  

Malicious PATCH requests submitted to servers using Spring Data REST versions prior to 2.6.9 (Ingalls SR9), versions prior to 3.0.1 (Kay SR1) and Spring Boot versions prior to 1.5.9, 2.0 M6 can use specially crafted JSON data to run arbitrary Java code.
CWE-20 Improper Input Validation

CVSSv2:
  • Base Score: HIGH (7.5)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: /AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2018-1196  

Spring Boot supports an embedded launch script that can be used to easily run the application as a systemd or init.d linux service. The script included with Spring Boot 1.5.9 and earlier and 2.0.0.M1 through 2.0.0.M7 is susceptible to a symlink attack which allows the "run_user" to overwrite and take ownership of any file on the same system. In order to instigate the attack, the application must be installed as a service and the "run_user" requires shell access to the server. Spring Boot application that are not installed as a service, or are not using the embedded launch script are not susceptible.
CWE-59 Improper Link Resolution Before File Access ('Link Following')

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:N/I:N/A:N
CVSSv3:
  • Base Score: MEDIUM (5.9)
  • Vector: /AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

References:

Vulnerable Software & Versions: (show all)

spring-cloud-commons-1.2.0.RELEASE.jar

Description:

Spring Cloud Commons

File Path: /mnt/sonarshell/projects/udesk-fever-framework_0.0.3/fever-metrics/target/dependency/spring-cloud-commons-1.2.0.RELEASE.jar
MD5: 1f531d264add9eea24c4168df3e0452b
SHA1: de0024fa88cc6c1ecbc30980e15acf25c0f5ef21
SHA256:cfc59d0d3963047d9ed1fa7617def5b7132ccb614f7885b02366c5ddbb9d1099

Identifiers

spring-cloud-context-1.2.0.RELEASE.jar

Description:

Spring Cloud Context

File Path: /mnt/sonarshell/projects/udesk-fever-framework_0.0.3/fever-metrics/target/dependency/spring-cloud-context-1.2.0.RELEASE.jar
MD5: 2d03c41579eeecae1e1ebbad7305e363
SHA1: 4f2a9fa553883dedc21587e45080b67911fb7d26
SHA256:9a33cffa25fe7cbe225449ddf659fa04b580b6ceb88a9686b04bc352c0f9bb05

Identifiers

spring-cloud-netflix-core-1.3.0.RELEASE.jar

Description:

Spring Cloud Netflix Core

File Path: /mnt/sonarshell/projects/udesk-fever-framework_0.0.3/fever-metrics/target/dependency/spring-cloud-netflix-core-1.3.0.RELEASE.jar
MD5: 215eaa55f8a85dea09e135de5ecad7e8
SHA1: 1ad134229d53e9263f08124d62c65882c5dee8e7
SHA256:5a1db3700bfda1220938df7c26e243db31bb8d05a0f17c981847522833dff4b9

Identifiers

spring-context-support-1.0.5.jar

File Path: /mnt/sonarshell/projects/udesk-fever-framework_0.0.3/fever-config-center/target/dependency/spring-context-support-1.0.5.jar
MD5: f08cbade1a26650be0daa2f16e42bd19
SHA1: f5243e823345f9d228efe51008507f166261f66c
SHA256:70859e39b5c6305848ccc04b2010f1461c7ebb016d8df08d82c8c04922e44bd0

Identifiers

spring-core-4.3.7.RELEASE.jar

Description:

Spring Core

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /mnt/sonarshell/projects/udesk-fever-framework_0.0.3/fever-sms-http/target/dependency/spring-core-4.3.7.RELEASE.jar
MD5: bfe2809bd044dc97cfca5db00e8ab1e4
SHA1: 54fa2db94cc7222edc90ec71354e47cd1dc07f7b
SHA256:fff510e18dbe8f3bb9eec0dcfd253615b820be9f15e51b788db2440b05384aaa

Identifiers

CVE-2018-11039  

Spring Framework (versions 5.0.x prior to 5.0.7, versions 4.3.x prior to 4.3.18, and older unsupported versions) allow web applications to change the HTTP request method to any HTTP method (including TRACE) using the HiddenHttpMethodFilter in Spring MVC. If an application has a pre-existing XSS vulnerability, a malicious user (or attacker) can use this filter to escalate to an XST (Cross Site Tracing) attack.
NVD-CWE-noinfo

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:P/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (5.9)
  • Vector: /AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2018-11040  

Spring Framework, versions 5.0.x prior to 5.0.7 and 4.3.x prior to 4.3.18 and older unsupported versions, allows web applications to enable cross-domain requests via JSONP (JSON with Padding) through AbstractJsonpResponseBodyAdvice for REST controllers and MappingJackson2JsonView for browser requests. Both are not enabled by default in Spring Framework nor Spring Boot, however, when MappingJackson2JsonView is configured in an application, JSONP support is automatically ready to use through the "jsonp" and "callback" JSONP parameters, enabling cross-domain requests.
CWE-829 Inclusion of Functionality from Untrusted Control Sphere

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:P/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (5.9)
  • Vector: /AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2018-1199  

Spring Security (Spring Security 4.1.x before 4.1.5, 4.2.x before 4.2.4, and 5.0.x before 5.0.1; and Spring Framework 4.3.x before 4.3.14 and 5.0.x before 5.0.3) does not consider URL path parameters when processing security constraints. By adding a URL path parameter with special encodings, an attacker may be able to bypass a security constraint. The root cause of this issue is a lack of clarity regarding the handling of path parameters in the Servlet Specification. Some Servlet containers include path parameters in the value returned for getPathInfo() and some do not. Spring Security uses the value returned by getPathInfo() as part of the process of mapping requests to security constraints. In this particular attack, different character encodings used in path parameters allows secured Spring MVC static resource URLs to be bypassed.
CWE-20 Improper Input Validation

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (5.3)
  • Vector: /AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2018-1257  

Spring Framework, versions 5.0.x prior to 5.0.6, versions 4.3.x prior to 4.3.17, and older unsupported versions allows applications to expose STOMP over WebSocket endpoints with a simple, in-memory STOMP broker through the spring-messaging module. A malicious user (or attacker) can craft a message to the broker that can lead to a regular expression, denial of service attack.
NVD-CWE-noinfo

CVSSv2:
  • Base Score: MEDIUM (4.0)
  • Vector: /AV:N/AC:L/Au:S/C:N/I:N/A:P
CVSSv3:
  • Base Score: MEDIUM (6.5)
  • Vector: /AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2018-1270  

Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, allow applications to expose STOMP over WebSocket endpoints with a simple, in-memory STOMP broker through the spring-messaging module. A malicious user (or attacker) can craft a message to the broker that can lead to a remote code execution attack.
CWE-358 Improperly Implemented Security Check for Standard

CVSSv2:
  • Base Score: HIGH (7.5)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: /AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2018-1271  

Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, allow applications to configure Spring MVC to serve static resources (e.g. CSS, JS, images). When static resources are served from a file system on Windows (as opposed to the classpath, or the ServletContext), a malicious user can send a request using a specially crafted URL that can lead a directory traversal attack.
CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:P/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (5.9)
  • Vector: /AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2018-1272  

Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, provide client-side support for multipart requests. When Spring MVC or Spring WebFlux server application (server A) receives input from a remote client, and then uses that input to make a multipart request to another server (server B), it can be exposed to an attack, where an extra multipart is inserted in the content of the request from server A, causing server B to use the wrong value for a part it expects. This could to lead privilege escalation, for example, if the part content represents a username or user roles.
NVD-CWE-noinfo

CVSSv2:
  • Base Score: MEDIUM (6.0)
  • Vector: /AV:N/AC:M/Au:S/C:P/I:P/A:P
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: /AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2018-1275  

Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.16 and older unsupported versions, allow applications to expose STOMP over WebSocket endpoints with a simple, in-memory STOMP broker through the spring-messaging module. A malicious user (or attacker) can craft a message to the broker that can lead to a remote code execution attack. This CVE addresses the partial fix for CVE-2018-1270 in the 4.3.x branch of the Spring Framework.
CWE-358 Improperly Implemented Security Check for Standard

CVSSv2:
  • Base Score: HIGH (7.5)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: /AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2018-15756  

Spring Framework, version 5.1, versions 5.0.x prior to 5.0.10, versions 4.3.x prior to 4.3.20, and older unsupported versions on the 4.2.x branch provide support for range requests when serving static resources through the ResourceHttpRequestHandler, or starting in 5.0 when an annotated controller returns an org.springframework.core.io.Resource. A malicious user (or attacker) can add a range header with a high number of ranges, or with wide ranges that overlap, or both, for a denial of service attack. This vulnerability affects applications that depend on either spring-webmvc or spring-webflux. Such applications must also have a registration for serving static resources (e.g. JS, CSS, images, and others), or have an annotated controller that returns an org.springframework.core.io.Resource. Spring Boot applications that depend on spring-boot-starter-web or spring-boot-starter-webflux are ready to serve static resources out of the box and are therefore vulnerable.
NVD-CWE-noinfo

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:P
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: /AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2020-5421  

In Spring Framework versions 5.2.0 - 5.2.8, 5.1.0 - 5.1.17, 5.0.0 - 5.0.18, 4.3.0 - 4.3.28, and older unsupported versions, the protections against RFD attacks from CVE-2015-5211 may be bypassed depending on the browser used through the use of a jsessionid path parameter.
NVD-CWE-noinfo

CVSSv2:
  • Base Score: LOW (3.6)
  • Vector: /AV:N/AC:H/Au:S/C:P/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (6.5)
  • Vector: /AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:H/A:N

References:

Vulnerable Software & Versions: (show all)

spring-data-commons-1.13.1.RELEASE.jar

File Path: /mnt/sonarshell/projects/udesk-fever-framework_0.0.3/fever-web/target/dependency/spring-data-commons-1.13.1.RELEASE.jar
MD5: 376b1dce8f8530301ef1834d773138fc
SHA1: 4e4257f2eb3f191613b4b000d43e8d0c3ff4457e
SHA256:4ec5af43f6b06d676916007d3a551862710c782309d1ded4e231c22479669d2d

Identifiers

CVE-2018-1259 (OSSINDEX)  

Spring Data Commons, versions 1.13 prior to 1.13.12 and 2.0 prior to 2.0.7, used in combination with XMLBeam 1.4.14 or earlier versions, contains a property binder vulnerability caused by improper restriction of XML external entity references as underlying library XMLBeam does not restrict external reference expansion. An unauthenticated remote malicious user can supply specially crafted request parameters against Spring Data's projection-based request payload binding to access arbitrary files on the system.
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: /AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

References:

Vulnerable Software & Versions (OSSINDEX):

  • cpe:2.3:a:org.springframework.data:spring-data-commons:1.13.1.RELEASE:*:*:*:*:*:*:*

CVE-2018-1273 (OSSINDEX)  

Spring Data Commons, versions prior to 1.13 to 1.13.10, 2.0 to 2.0.5, and older unsupported versions, contain a property binder vulnerability caused by improper neutralization of special elements. An unauthenticated remote malicious user (or attacker) can supply specially crafted request parameters against Spring Data REST backed HTTP resources or using Spring Data's projection-based request payload binding hat can lead to a remote code execution attack.
CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: /AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions (OSSINDEX):

  • cpe:2.3:a:org.springframework.data:spring-data-commons:1.13.1.RELEASE:*:*:*:*:*:*:*

CVE-2018-1274 (OSSINDEX)  

Spring Data Commons, versions 1.13 to 1.13.10, 2.0 to 2.0.5, and older unsupported versions, contain a property path parser vulnerability caused by unlimited resource allocation. An unauthenticated remote malicious user (or attacker) can issue requests against Spring Data REST endpoints or endpoints using property path parsing which can cause a denial of service (CPU and memory consumption).
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: /AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions (OSSINDEX):

  • cpe:2.3:a:org.springframework.data:spring-data-commons:1.13.1.RELEASE:*:*:*:*:*:*:*

spring-data-keyvalue-1.2.1.RELEASE.jar

File Path: /mnt/sonarshell/projects/udesk-fever-framework_0.0.3/fever-shiro-redis/target/dependency/spring-data-keyvalue-1.2.1.RELEASE.jar
MD5: ec9c7b7f16b29929143b36955049b09f
SHA1: 993c7ec323601450e0dd22f010de3e94f2b7ba56
SHA256:97b4de501fe866cbda7225e3540bc55213a28ac67dd6c8c6ce27cfcb680ea9d7

Identifiers

spring-data-redis-1.8.1.RELEASE.jar

File Path: /mnt/sonarshell/projects/udesk-fever-framework_0.0.3/fever-shiro-redis/target/dependency/spring-data-redis-1.8.1.RELEASE.jar
MD5: ba1dd3e69c202a9edafea038b1edaaed
SHA1: a1bc2034d8b00090edb991f208d491e78d610457
SHA256:bb62b27cf9246b49932ce340ec47252ad73746c3c18eba4e5e5df7329af41258

Identifiers

spring-oxm-4.3.7.RELEASE.jar

Description:

Spring Object/XML Marshalling

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /mnt/sonarshell/projects/udesk-fever-framework_0.0.3/fever-shiro-redis/target/dependency/spring-oxm-4.3.7.RELEASE.jar
MD5: c09466a060334515f04a0f82b42547f1
SHA1: 8919cafd01bba4c8dac4ec91f8c8f9060fa888d3
SHA256:c0d5d51ceaf46d7ebbdb6881434d90bb75b158fc673b8138dcc53e45bd399cbb

Identifiers

CVE-2018-11039  

Spring Framework (versions 5.0.x prior to 5.0.7, versions 4.3.x prior to 4.3.18, and older unsupported versions) allow web applications to change the HTTP request method to any HTTP method (including TRACE) using the HiddenHttpMethodFilter in Spring MVC. If an application has a pre-existing XSS vulnerability, a malicious user (or attacker) can use this filter to escalate to an XST (Cross Site Tracing) attack.
NVD-CWE-noinfo

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:P/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (5.9)
  • Vector: /AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2018-11040  

Spring Framework, versions 5.0.x prior to 5.0.7 and 4.3.x prior to 4.3.18 and older unsupported versions, allows web applications to enable cross-domain requests via JSONP (JSON with Padding) through AbstractJsonpResponseBodyAdvice for REST controllers and MappingJackson2JsonView for browser requests. Both are not enabled by default in Spring Framework nor Spring Boot, however, when MappingJackson2JsonView is configured in an application, JSONP support is automatically ready to use through the "jsonp" and "callback" JSONP parameters, enabling cross-domain requests.
CWE-829 Inclusion of Functionality from Untrusted Control Sphere

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:P/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (5.9)
  • Vector: /AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2018-1199  

Spring Security (Spring Security 4.1.x before 4.1.5, 4.2.x before 4.2.4, and 5.0.x before 5.0.1; and Spring Framework 4.3.x before 4.3.14 and 5.0.x before 5.0.3) does not consider URL path parameters when processing security constraints. By adding a URL path parameter with special encodings, an attacker may be able to bypass a security constraint. The root cause of this issue is a lack of clarity regarding the handling of path parameters in the Servlet Specification. Some Servlet containers include path parameters in the value returned for getPathInfo() and some do not. Spring Security uses the value returned by getPathInfo() as part of the process of mapping requests to security constraints. In this particular attack, different character encodings used in path parameters allows secured Spring MVC static resource URLs to be bypassed.
CWE-20 Improper Input Validation

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (5.3)
  • Vector: /AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2018-1257  

Spring Framework, versions 5.0.x prior to 5.0.6, versions 4.3.x prior to 4.3.17, and older unsupported versions allows applications to expose STOMP over WebSocket endpoints with a simple, in-memory STOMP broker through the spring-messaging module. A malicious user (or attacker) can craft a message to the broker that can lead to a regular expression, denial of service attack.
NVD-CWE-noinfo

CVSSv2:
  • Base Score: MEDIUM (4.0)
  • Vector: /AV:N/AC:L/Au:S/C:N/I:N/A:P
CVSSv3:
  • Base Score: MEDIUM (6.5)
  • Vector: /AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2018-1270  

Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, allow applications to expose STOMP over WebSocket endpoints with a simple, in-memory STOMP broker through the spring-messaging module. A malicious user (or attacker) can craft a message to the broker that can lead to a remote code execution attack.
CWE-358 Improperly Implemented Security Check for Standard

CVSSv2:
  • Base Score: HIGH (7.5)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: /AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2018-1271  

Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, allow applications to configure Spring MVC to serve static resources (e.g. CSS, JS, images). When static resources are served from a file system on Windows (as opposed to the classpath, or the ServletContext), a malicious user can send a request using a specially crafted URL that can lead a directory traversal attack.
CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:P/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (5.9)
  • Vector: /AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2018-1272  

Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, provide client-side support for multipart requests. When Spring MVC or Spring WebFlux server application (server A) receives input from a remote client, and then uses that input to make a multipart request to another server (server B), it can be exposed to an attack, where an extra multipart is inserted in the content of the request from server A, causing server B to use the wrong value for a part it expects. This could to lead privilege escalation, for example, if the part content represents a username or user roles.
NVD-CWE-noinfo

CVSSv2:
  • Base Score: MEDIUM (6.0)
  • Vector: /AV:N/AC:M/Au:S/C:P/I:P/A:P
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: /AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2018-1275  

Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.16 and older unsupported versions, allow applications to expose STOMP over WebSocket endpoints with a simple, in-memory STOMP broker through the spring-messaging module. A malicious user (or attacker) can craft a message to the broker that can lead to a remote code execution attack. This CVE addresses the partial fix for CVE-2018-1270 in the 4.3.x branch of the Spring Framework.
CWE-358 Improperly Implemented Security Check for Standard

CVSSv2:
  • Base Score: HIGH (7.5)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: /AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2018-15756  

Spring Framework, version 5.1, versions 5.0.x prior to 5.0.10, versions 4.3.x prior to 4.3.20, and older unsupported versions on the 4.2.x branch provide support for range requests when serving static resources through the ResourceHttpRequestHandler, or starting in 5.0 when an annotated controller returns an org.springframework.core.io.Resource. A malicious user (or attacker) can add a range header with a high number of ranges, or with wide ranges that overlap, or both, for a denial of service attack. This vulnerability affects applications that depend on either spring-webmvc or spring-webflux. Such applications must also have a registration for serving static resources (e.g. JS, CSS, images, and others), or have an annotated controller that returns an org.springframework.core.io.Resource. Spring Boot applications that depend on spring-boot-starter-web or spring-boot-starter-webflux are ready to serve static resources out of the box and are therefore vulnerable.
NVD-CWE-noinfo

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:P
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: /AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2020-5421  

In Spring Framework versions 5.2.0 - 5.2.8, 5.1.0 - 5.1.17, 5.0.0 - 5.0.18, 4.3.0 - 4.3.28, and older unsupported versions, the protections against RFD attacks from CVE-2015-5211 may be bypassed depending on the browser used through the use of a jsessionid path parameter.
NVD-CWE-noinfo

CVSSv2:
  • Base Score: LOW (3.6)
  • Vector: /AV:N/AC:H/Au:S/C:P/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (6.5)
  • Vector: /AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:H/A:N

References:

Vulnerable Software & Versions: (show all)

spring-plugin-core-1.2.0.RELEASE.jar

Description:

Core plugin infrastructure

File Path: /mnt/sonarshell/projects/udesk-fever-framework_0.0.3/fever-web/target/dependency/spring-plugin-core-1.2.0.RELEASE.jar
MD5: 4e6325e5ed2c1aa1949313c184d83640
SHA1: f380e7760032e7d929184f8ad8a33716b75c0657
SHA256:de8d411556cccbb9a68a4b40f847e473593336412de86fb3f6f7f61f3923c09e

Identifiers

spring-plugin-metadata-1.2.0.RELEASE.jar

Description:

Extension package for metadata based plugins

File Path: /mnt/sonarshell/projects/udesk-fever-framework_0.0.3/fever-web/target/dependency/spring-plugin-metadata-1.2.0.RELEASE.jar
MD5: 63a461c6e878b1a510f0bb5c58b7ade7
SHA1: 97223fc496b6cab31602eedbd4202aa4fff0d44f
SHA256:aa58a6e6d038553b6bfae03bd18cd985e4bfb37cb2fb6406551b87f57283b00a

Identifiers

spring-restdocs-core-1.1.2.RELEASE.jar

Description:

Spring REST Docs Core

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /mnt/sonarshell/projects/udesk-fever-framework_0.0.3/fever-web/target/dependency/spring-restdocs-core-1.1.2.RELEASE.jar
MD5: d5f3cb36478548b05ad0e68849af6cfe
SHA1: 61ba63f3ce3011e23951a69e0b8143ef13b6b12c
SHA256:c433de4a512ac2cfb90af767c76f8ff0e3f289b54a8ea5c585873574560439f0

Identifiers

spring-restdocs-mockmvc-1.1.2.RELEASE.jar

Description:

Spring REST Docs MockMvc

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /mnt/sonarshell/projects/udesk-fever-framework_0.0.3/fever-web/target/dependency/spring-restdocs-mockmvc-1.1.2.RELEASE.jar
MD5: 81ac13c98d6e077bdf66f0ba0b0c25ee
SHA1: c1bde872eab6e5cc0e037af386b1f21553cb06cf
SHA256:7195b3c3c52cd5cec41e04316ae833c8e0d3093a9db6a8fa755bfbf669f8fc3c

Identifiers

spring-retry-1.2.0.RELEASE.jar

Description:

Spring Retry provides an abstraction around retrying failed operations, with an emphasis on declarative control of the process and policy-based bahaviour that is easy to extend and customize.  For instance, you can configure a plain POJO operation to retry if it fails, based on the type of exception, and with a fixed or exponential backoff.
    

License:

Apache 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /mnt/sonarshell/projects/udesk-fever-framework_0.0.3/fever-batch/target/dependency/spring-retry-1.2.0.RELEASE.jar
MD5: 045ebabdaf902bac8af8e8d83a236346
SHA1: 4e2b3ea37df07ef6fd905696f1aa5d50128c2782
SHA256:b3b8665be8894c21677598c9190d50df48742800deadc67bdd030ea7e69a8724

Identifiers

spring-security-crypto-4.2.2.RELEASE.jar

Description:

spring-security-crypto

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /mnt/sonarshell/projects/udesk-fever-framework_0.0.3/fever-metrics/target/dependency/spring-security-crypto-4.2.2.RELEASE.jar
MD5: 778150c2ad2b2b857819de08568d10b5
SHA1: 713ae22bcef55ae21ca1967d7cb217a1efab5dbf
SHA256:21051eb56dc16338a4fe9b5d61a2cf8dff5d51087e8020ecd152ed9b0f2bdc51

Identifiers

CVE-2017-4995  

An issue was discovered in Pivotal Spring Security 4.2.0.RELEASE through 4.2.2.RELEASE, and Spring Security 5.0.0.M1. When configured to enable default typing, Jackson contained a deserialization vulnerability that could lead to arbitrary code execution. Jackson fixed this vulnerability by blacklisting known "deserialization gadgets." Spring Security configures Jackson with global default typing enabled, which means that (through the previous exploit) arbitrary code could be executed if all of the following is true: (1) Spring Security's Jackson support is being leveraged by invoking SecurityJackson2Modules.getModules(ClassLoader) or SecurityJackson2Modules.enableDefaultTyping(ObjectMapper); (2) Jackson is used to deserialize data that is not trusted (Spring Security does not perform deserialization using Jackson, so this is an explicit choice of the user); and (3) there is an unknown (Jackson is not blacklisting it already) "deserialization gadget" that allows code execution present on the classpath. Jackson provides a blacklisting approach to protecting against this type of attack, but Spring Security should be proactive against blocking unknown "deserialization gadgets" when Spring Security enables default typing.
CWE-502 Deserialization of Untrusted Data

CVSSv2:
  • Base Score: MEDIUM (6.8)
  • Vector: /AV:N/AC:M/Au:N/C:P/I:P/A:P
CVSSv3:
  • Base Score: HIGH (8.1)
  • Vector: /AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2018-1199  

Spring Security (Spring Security 4.1.x before 4.1.5, 4.2.x before 4.2.4, and 5.0.x before 5.0.1; and Spring Framework 4.3.x before 4.3.14 and 5.0.x before 5.0.3) does not consider URL path parameters when processing security constraints. By adding a URL path parameter with special encodings, an attacker may be able to bypass a security constraint. The root cause of this issue is a lack of clarity regarding the handling of path parameters in the Servlet Specification. Some Servlet containers include path parameters in the value returned for getPathInfo() and some do not. Spring Security uses the value returned by getPathInfo() as part of the process of mapping requests to security constraints. In this particular attack, different character encodings used in path parameters allows secured Spring MVC static resource URLs to be bypassed.
CWE-20 Improper Input Validation

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (5.3)
  • Vector: /AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2018-1258  

Spring Framework version 5.0.5 when used in combination with any versions of Spring Security contains an authorization bypass when using method security. An unauthorized malicious user can gain unauthorized access to methods that should be restricted.
CWE-863 Incorrect Authorization

CVSSv2:
  • Base Score: MEDIUM (6.5)
  • Vector: /AV:N/AC:L/Au:S/C:P/I:P/A:P
CVSSv3:
  • Base Score: HIGH (8.8)
  • Vector: /AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2019-11272  

Spring Security, versions 4.2.x up to 4.2.12, and older unsupported versions support plain text passwords using PlaintextPasswordEncoder. If an application using an affected version of Spring Security is leveraging PlaintextPasswordEncoder and a user has a null encoded password, a malicious user (or attacker) can authenticate using a password of "null".
CWE-522 Insufficiently Protected Credentials

CVSSv2:
  • Base Score: HIGH (7.5)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSSv3:
  • Base Score: HIGH (7.3)
  • Vector: /AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

References:

Vulnerable Software & Versions:

CVE-2019-3795  

Spring Security versions 4.2.x prior to 4.2.12, 5.0.x prior to 5.0.12, and 5.1.x prior to 5.1.5 contain an insecure randomness vulnerability when using SecureRandomFactoryBean#setSeed to configure a SecureRandom instance. In order to be impacted, an honest application must provide a seed and make the resulting random material available to an attacker for inspection.
CWE-332 Insufficient Entropy in PRNG

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (5.3)
  • Vector: /AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2020-5408  

Spring Security versions 5.3.x prior to 5.3.2, 5.2.x prior to 5.2.4, 5.1.x prior to 5.1.10, 5.0.x prior to 5.0.16 and 4.2.x prior to 4.2.16 use a fixed null initialization vector with CBC Mode in the implementation of the queryable text encryptor. A malicious user with access to the data that has been encrypted using such an encryptor may be able to derive the unencrypted values using a dictionary attack.
CWE-330 Use of Insufficiently Random Values

CVSSv2:
  • Base Score: MEDIUM (4.0)
  • Vector: /AV:N/AC:L/Au:S/C:P/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (6.5)
  • Vector: /AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

References:

Vulnerable Software & Versions: (show all)

springfox-bean-validators-2.5.0.jar

Description:

JSON API documentation for spring based applications

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /mnt/sonarshell/projects/udesk-fever-framework_0.0.3/fever-web/target/dependency/springfox-bean-validators-2.5.0.jar
MD5: febfcd49f1b2654c7dd329c3aad902d7
SHA1: da1d452831cca4a75c7343cfa4f2a699a3861375
SHA256:91eff1b77957d9a9c8b22b7aacbdcb3a7a28f215143ea8d411040d792ba8dbf1

Identifiers

springfox-core-2.5.0.jar

Description:

JSON API documentation for spring based applications

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /mnt/sonarshell/projects/udesk-fever-framework_0.0.3/fever-web/target/dependency/springfox-core-2.5.0.jar
MD5: aeb8465ba7e601c373648a59a5f33afa
SHA1: 5b2310cd6b2cf584b81a14edf12e522abc966255
SHA256:8a5bdc19f95a7e0aa4942b67e08b9fa456da1d2817da67750de8301f1e9c4088

Identifiers

springfox-schema-2.5.0.jar

Description:

JSON API documentation for spring based applications

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /mnt/sonarshell/projects/udesk-fever-framework_0.0.3/fever-web/target/dependency/springfox-schema-2.5.0.jar
MD5: fe413997108f58ceccb3eb2daeafb41c
SHA1: 2716c322aff0cf2684715b6022f1edb7dacb8f67
SHA256:10a84e784bbd0f917a8346d58b9c7ea5e8fc89cc7027a89c4d62c9f5bc95b265

Identifiers

springfox-spi-2.5.0.jar

Description:

JSON API documentation for spring based applications

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /mnt/sonarshell/projects/udesk-fever-framework_0.0.3/fever-web/target/dependency/springfox-spi-2.5.0.jar
MD5: 11d4862c8fb4b37af73ba2c3aa3b909c
SHA1: 1b439a0b05feee1e1af8ca35c0d35b38096f7601
SHA256:08a3e20ca1690ef4e871f0af3aab083d7290b2bd2500a1f83ccff129f9c23e59

Identifiers

springfox-spring-web-2.5.0.jar

Description:

JSON API documentation for spring based applications

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /mnt/sonarshell/projects/udesk-fever-framework_0.0.3/fever-web/target/dependency/springfox-spring-web-2.5.0.jar
MD5: 491d6b3574e77100f98d58d21602e736
SHA1: 88adc4f0c85b06a9f47222ab68c6230a24d08ee0
SHA256:6a4d5b8684559c72138395a777597c543f984207c5e22734b714b940084f2c94

Identifiers

springfox-staticdocs-2.5.0.jar

Description:

JSON API documentation for spring based applications

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /mnt/sonarshell/projects/udesk-fever-framework_0.0.3/fever-web/target/dependency/springfox-staticdocs-2.5.0.jar
MD5: b3b7a07fa38928210f63dac1ccc50571
SHA1: e500bfa4ed9935924e4c98cdf87b41bdef7870ac
SHA256:67a4b545474fa43d338972e003fec345376500dbbd3c301ae2f416cd52be5661

Identifiers

springfox-swagger-common-2.5.0.jar

Description:

JSON API documentation for spring based applications

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /mnt/sonarshell/projects/udesk-fever-framework_0.0.3/fever-web/target/dependency/springfox-swagger-common-2.5.0.jar
MD5: 455ab0ff2193d7691e4b5efc5c2f81fb
SHA1: 817f6b5cf4ee5304b762f57ab85d2d1a2ea1f32a
SHA256:4dfcc95f666c7f6c060137dc47fc1881dcd2e78b86ec8b4d5fc9bb37082d8ade

Identifiers

springfox-swagger-ui-2.5.0.jar

Description:

JSON API documentation for spring based applications

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /mnt/sonarshell/projects/udesk-fever-framework_0.0.3/fever-web/target/dependency/springfox-swagger-ui-2.5.0.jar
MD5: 298487c0b1ac1bea4acdd8c6b0ad0fe1
SHA1: 6f7838c1d208edb5c3de2bce2232969623dac88b
SHA256:127d82cd97e53d470d351b96e9f28aea6cf3c08c8518fb939578d691c6a05833

Identifiers

springfox-swagger-ui-2.5.0.jar: backbone-min.js

File Path: /mnt/sonarshell/projects/udesk-fever-framework_0.0.3/fever-web/target/dependency/springfox-swagger-ui-2.5.0.jar/META-INF/resources/webjars/springfox-swagger-ui/lib/backbone-min.js
MD5: 3aa65f4d5feaf64d0bf0083e2a018ba3
SHA1: 7afbb3f29409bc043251d27c213b11bc42c4ebd8
SHA256:67dc299a9549deb93ce4626f21c2cb06c9d9950992de2fb2402abc77e0e30dc9

Identifiers

  • None

springfox-swagger-ui-2.5.0.jar: en.js

File Path: /mnt/sonarshell/projects/udesk-fever-framework_0.0.3/fever-web/target/dependency/springfox-swagger-ui-2.5.0.jar/META-INF/resources/webjars/springfox-swagger-ui/lang/en.js
MD5: abff222dc970385e4691fd5bb4abb58d
SHA1: 6e834c84a7706ebb96957f9e3b2a6e1bf48f3a5a
SHA256:06cf61a6e0e9b6ee19cec6b16a2c30119a831c824acb4f6ca2675ec747cc3b26

Identifiers

  • None

springfox-swagger-ui-2.5.0.jar: es.js

File Path: /mnt/sonarshell/projects/udesk-fever-framework_0.0.3/fever-web/target/dependency/springfox-swagger-ui-2.5.0.jar/META-INF/resources/webjars/springfox-swagger-ui/lang/es.js
MD5: 87c7dd16425207f85a46b0f353023a81
SHA1: 5c95dbec5315b494d45537558b9428200f670399
SHA256:bae5cc856a227f67c71b2d60583a9a9f1e3124f9907b194fc99f79e61f56c921

Identifiers

  • None

springfox-swagger-ui-2.5.0.jar: fr.js

File Path: /mnt/sonarshell/projects/udesk-fever-framework_0.0.3/fever-web/target/dependency/springfox-swagger-ui-2.5.0.jar/META-INF/resources/webjars/springfox-swagger-ui/lang/fr.js
MD5: a09e955cae662a2106b77685a898033b
SHA1: 97e9a2773c4160d568265bb8066bf20d1e5e13a1
SHA256:33c6569cbdd9d4b2bc172c53757d6775fa30554d3d1adfdcd24b4b83e96809ae

Identifiers

  • None

springfox-swagger-ui-2.5.0.jar: handlebars-2.0.0.js

File Path: /mnt/sonarshell/projects/udesk-fever-framework_0.0.3/fever-web/target/dependency/springfox-swagger-ui-2.5.0.jar/META-INF/resources/webjars/springfox-swagger-ui/lib/handlebars-2.0.0.js
MD5: 501c421a9bc201f50c76c8d28af0cb36
SHA1: f25d39dc72774e392d55d98dd1d1285b1e213809
SHA256:7cb481a09730ac4f570ec37702f2fa70ce197bec81100565c6817eb13666a796

Identifiers

Disallow calling helperMissing and blockHelperMissing directly (RETIREJS)  

Disallow calling helperMissing and blockHelperMissing directly
Unscored:
  • Severity: low

References:

Prototype pollution (RETIREJS)  

Prototype pollution
Unscored:
  • Severity: medium

References:

Quoteless attributes in templates can lead to XSS (RETIREJS)  

Quoteless attributes in templates can lead to XSS
Unscored:
  • Severity: medium

References:

springfox-swagger-ui-2.5.0.jar: highlight.7.3.pack.js

File Path: /mnt/sonarshell/projects/udesk-fever-framework_0.0.3/fever-web/target/dependency/springfox-swagger-ui-2.5.0.jar/META-INF/resources/webjars/springfox-swagger-ui/lib/highlight.7.3.pack.js
MD5: 1faadb031ba98569ab3e854b64b2db06
SHA1: 3e43686bd2b3ced379ee47f07d5c03a3a97d9827
SHA256:8ac611530446e502594abee6cedf1406f60c59b373e2482f8898211e766ca18d

Identifiers

  • None

springfox-swagger-ui-2.5.0.jar: it.js

File Path: /mnt/sonarshell/projects/udesk-fever-framework_0.0.3/fever-web/target/dependency/springfox-swagger-ui-2.5.0.jar/META-INF/resources/webjars/springfox-swagger-ui/lang/it.js
MD5: 7f30ec6957dcf6d657e7b47ceba0f479
SHA1: 62336364e5c631d0e10ad931ecffe826edba48a6
SHA256:0ef3a9d1c5e45f675ebf36006e591e921cc5b446c9d7266584ad67209d2beeec

Identifiers

  • None

springfox-swagger-ui-2.5.0.jar: ja.js

File Path: /mnt/sonarshell/projects/udesk-fever-framework_0.0.3/fever-web/target/dependency/springfox-swagger-ui-2.5.0.jar/META-INF/resources/webjars/springfox-swagger-ui/lang/ja.js
MD5: 3fe74190f8406d60b044a838b4744933
SHA1: 0c5c25aa804abf00869c97f8c68c72c5365aad0a
SHA256:e2c439d3e34458c5057699eed719b8a4bd4234cffca28f15ab24f3b0e1644d5c

Identifiers

  • None

springfox-swagger-ui-2.5.0.jar: jquery-1.8.0.min.js

File Path: /mnt/sonarshell/projects/udesk-fever-framework_0.0.3/fever-web/target/dependency/springfox-swagger-ui-2.5.0.jar/META-INF/resources/webjars/springfox-swagger-ui/lib/jquery-1.8.0.min.js
MD5: 3a728460147fb9af7faf0e587b9fbf42
SHA1: f3a55f44fb81cf8ee908a3872841f70d6548f8c1
SHA256:8c574e0a06396dfa7064b8b460e0e4a8d5d0748c4aa66eb2e4efdfcb46da4b31

Identifiers

CVE-2012-6708  

jQuery before 1.9.0 is vulnerable to Cross-site Scripting (XSS) attacks. The jQuery(strInput) function does not differentiate selectors from HTML in a reliable fashion. In vulnerable versions, jQuery determined whether the input was HTML by looking for the '<' character anywhere in the string, giving attackers more flexibility when attempting to construct a malicious payload. In fixed versions, jQuery only deems the input to be HTML if it explicitly starts with the '<' character, limiting exploitability only to attackers who can control the beginning of a string, which is far less common.
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:N/I:N/A:N
CVSSv3:
  • Base Score: MEDIUM (6.1)
  • Vector: /AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References:

Vulnerable Software & Versions (NVD):

  • cpe:2.3:a:jquery:jquery:*:*:*:*:*:*:*:* versions up to (excluding) 1.9.0

CVE-2015-9251  

jQuery before 3.0.0 is vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain Ajax request is performed without the dataType option, causing text/javascript responses to be executed.
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:N/I:N/A:N
CVSSv3:
  • Base Score: MEDIUM (6.1)
  • Vector: /AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References:

Vulnerable Software & Versions (NVD):

  • cpe:2.3:a:oracle:enterprise_manager_ops_center:12.3.3:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:primavera_gateway:16.2:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:retail_customer_insights:16.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:agile_product_lifecycle_management_for_process:6.2.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:agile_product_lifecycle_management_for_process:6.2.3.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_services_gatekeeper:*:*:*:*:*:*:*:* versions up to (excluding) 6.1.0.4.0
  • cpe:2.3:a:oracle:financial_services_hedge_management_and_ifrs_valuations:*:*:*:*:*:*:*:* versions from (including) 8.0.4; versions up to (including) 8.0.7
  • cpe:2.3:a:oracle:financial_services_market_risk_measurement_and_management:8.0.6:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:business_process_management_suite:12.2.1.3.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:hospitality_guest_access:4.2.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_reconciliation_framework:8.0.5:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:*:*:*:*:*:*:*:* versions from (including) 7.3.3; versions up to (including) 7.3.5
  • cpe:2.3:a:oracle:endeca_information_discovery_studio:3.2.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:enterprise_manager_ops_center:12.2.2:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:banking_platform:2.6.0:*:*:*:*:*:*:*
  • cpe:2.3:a:jquery:jquery:*:*:*:*:*:*:*:* versions up to (excluding) 3.0.0
  • cpe:2.3:a:oracle:enterprise_operations_monitor:3.4:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:primavera_unifier:16.2:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:business_process_management_suite:12.1.3.0.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:primavera_unifier:18.8:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_interactive_session_recorder:6.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.56:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:fusion_middleware_mapviewer:12.2.1.3.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_asset_liability_management:*:*:*:*:*:*:*:* versions from (including) 8.0.4; versions up to (including) 8.0.7
  • cpe:2.3:a:oracle:primavera_unifier:16.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:insurance_insbridge_rating_and_underwriting:5.2:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:jdeveloper:11.1.1.9.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:oss_support_tools:19.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:insurance_insbridge_rating_and_underwriting:5.5:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:weblogic_server:12.1.3.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:retail_sales_audit:15.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_reconciliation_framework:8.0.6:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.55:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:insurance_insbridge_rating_and_underwriting:5.4:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:siebel_ui_framework:18.10:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:utilities_mobile_workforce_management:2.3.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:weblogic_server:12.2.1.3:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_interactive_session_recorder:6.2:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_profitability_management:*:*:*:*:*:*:*:* versions from (including) 8.0.4; versions up to (including) 8.0.6
  • cpe:2.3:a:oracle:siebel_ui_framework:18.11:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:healthcare_foundation:7.2:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:primavera_gateway:15.2:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:retail_workforce_management_software:1.64.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:retail_customer_insights:15.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:agile_product_lifecycle_management_for_process:6.2.0.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:agile_product_lifecycle_management_for_process:6.2.2.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:hospitality_reporting_and_analytics:9.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:jdeveloper:12.1.3.0.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.57:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_market_risk_measurement_and_management:8.0.5:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_interactive_session_recorder:6.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:banking_platform:2.6.2:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:healthcare_translational_research:3.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:utilities_framework:*:*:*:*:*:*:*:* versions from (including) 4.3.0.1; versions up to (including) 4.3.0.4
  • cpe:2.3:a:oracle:financial_services_loan_loss_forecasting_and_provisioning:*:*:*:*:*:*:*:* versions from (including) 8.0.2; versions up to (including) 8.0.7
  • cpe:2.3:a:oracle:financial_services_funds_transfer_pricing:*:*:*:*:*:*:*:* versions from (including) 8.0.4; versions up to (including) 8.0.7
  • cpe:2.3:a:oracle:jdeveloper:12.2.1.3.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:primavera_gateway:17.12:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:jd_edwards_enterpriseone_tools:9.2:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:real-time_scheduler:2.3.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:retail_workforce_management_software:1.60.9:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:enterprise_operations_monitor:4.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_data_integration_hub:*:*:*:*:*:*:*:* versions from (including) 8.0.5; versions up to (including) 8.0.7
  • cpe:2.3:a:oracle:agile_product_lifecycle_management_for_process:6.2.3.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_converged_application_server:*:*:*:*:*:*:*:* versions up to (excluding) 7.0.0.1
  • cpe:2.3:a:oracle:service_bus:12.1.3.0.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:hospitality_guest_access:4.2.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:banking_platform:2.6.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:service_bus:12.2.1.3.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_webrtc_session_controller:*:*:*:*:*:*:*:* versions up to (excluding) 7.2
  • cpe:2.3:a:oracle:business_process_management_suite:11.1.1.9.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:retail_invoice_matching:15.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:retail_allocation:15.0.2:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:healthcare_foundation:7.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:endeca_information_discovery_studio:3.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:webcenter_sites:11.1.1.8.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_liquidity_risk_management:*:*:*:*:*:*:*:* versions from (including) 8.0.2; versions up to (including) 8.0.6
  • cpe:2.3:a:oracle:hospitality_materials_control:18.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:hospitality_cruise_fleet_management:9.0.11:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:*:*:*:*:*:*:*:* versions from (including) 8.0.0; versions up to (including) 8.0.7
  • cpe:2.3:a:oracle:primavera_unifier:*:*:*:*:*:*:*:* versions from (including) 17.1; versions up to (including) 17.12

CVE-2019-11358  

jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable __proto__ property, it could extend the native Object.prototype.
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:N/I:N/A:N
CVSSv3:
  • Base Score: MEDIUM (6.1)
  • Vector: /AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References:

Vulnerable Software & Versions (NVD):

  • cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:* versions from (including) 8.5.0; versions up to (excluding) 8.5.15
  • cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:* versions from (including) 7.0; versions up to (excluding) 7.66
  • cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:* versions from (including) 8.6.0; versions up to (excluding) 8.6.15
  • cpe:2.3:a:jquery:jquery:*:*:*:*:*:*:*:* versions up to (excluding) 3.4.0
  • cpe:2.3:a:backdropcms:backdrop:*:*:*:*:*:*:*:* versions from (including) 1.12.0; versions up to (excluding) 1.12.6
  • cpe:2.3:a:backdropcms:backdrop:*:*:*:*:*:*:*:* versions from (including) 1.11.0; versions up to (excluding) 1.11.9

CVE-2020-11022  

In jQuery versions greater than or equal to 1.2 and before 3.5.0, passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:N/I:N/A:N
CVSSv3:
  • Base Score: MEDIUM (6.1)
  • Vector: /AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References:

Vulnerable Software & Versions (NVD):

  • cpe:2.3:a:jquery:jquery:*:*:*:*:*:*:*:* versions from (including) 1.2; versions up to (excluding) 3.5.0

CVE-2020-11023  

In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing HTML containing <option> elements from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:N/I:N/A:N
CVSSv3:
  • Base Score: MEDIUM (6.1)
  • Vector: /AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References:

Vulnerable Software & Versions (NVD):

  • cpe:2.3:a:jquery:jquery:*:*:*:*:*:*:*:* versions from (including) 1.0.3; versions up to (excluding) 3.5.0

springfox-swagger-ui-2.5.0.jar: jquery.ba-bbq.min.js

File Path: /mnt/sonarshell/projects/udesk-fever-framework_0.0.3/fever-web/target/dependency/springfox-swagger-ui-2.5.0.jar/META-INF/resources/webjars/springfox-swagger-ui/lib/jquery.ba-bbq.min.js
MD5: 07c72646c76932834219ef6827451df3
SHA1: 42a48a21f1cfe2e38c2d7983c3120fa3c4fbad04
SHA256:4390c59a398ab1d124b5daa588728b1f05dede144555b4b29706363eaa000bef

Identifiers

  • None

springfox-swagger-ui-2.5.0.jar: jquery.slideto.min.js

File Path: /mnt/sonarshell/projects/udesk-fever-framework_0.0.3/fever-web/target/dependency/springfox-swagger-ui-2.5.0.jar/META-INF/resources/webjars/springfox-swagger-ui/lib/jquery.slideto.min.js
MD5: 0860d2328e5a333731cf95de440f4356
SHA1: b849bafad46251cbced13d4b501694dd21bd7464
SHA256:4ac55a3315abf9efaddf5c91723409a73e4b3c1b070199a1cd2e1f20db687e48

Identifiers

  • None

springfox-swagger-ui-2.5.0.jar: jquery.wiggle.min.js

File Path: /mnt/sonarshell/projects/udesk-fever-framework_0.0.3/fever-web/target/dependency/springfox-swagger-ui-2.5.0.jar/META-INF/resources/webjars/springfox-swagger-ui/lib/jquery.wiggle.min.js
MD5: 7438b3ef10b182042dfa722f99ef2574
SHA1: 8fdf6f42eb6e3fad77ea4be4eb39046538ad8253
SHA256:624a5b6c44f072fc01c12a66b8daf9c0b0d191569077f6c10fa7d3d83fe0c8f3

Identifiers

  • None

springfox-swagger-ui-2.5.0.jar: jsoneditor.min.js

File Path: /mnt/sonarshell/projects/udesk-fever-framework_0.0.3/fever-web/target/dependency/springfox-swagger-ui-2.5.0.jar/META-INF/resources/webjars/springfox-swagger-ui/lib/jsoneditor.min.js
MD5: d4e890d92f40df14dbe4ed373a99b72a
SHA1: 53fb97f2e049c6df8779150d1a03d77af167a442
SHA256:4c3771ac9aea4d65042f677ad5d9d83201e7c2b711d705e2a064229ec05511f4

Identifiers

  • None

springfox-swagger-ui-2.5.0.jar: marked.js

File Path: /mnt/sonarshell/projects/udesk-fever-framework_0.0.3/fever-web/target/dependency/springfox-swagger-ui-2.5.0.jar/META-INF/resources/webjars/springfox-swagger-ui/lib/marked.js
MD5: 314b30dbc1b056c36d790e5b23fa4283
SHA1: 28c90613a2ba4cfb8b8220b9c94e6ba2936309dd
SHA256:a842d3f3b6545e025497f2287ed159507518379f1c6525bf15f3de0357aa1797

Identifiers

  • None

springfox-swagger-ui-2.5.0.jar: pl.js

File Path: /mnt/sonarshell/projects/udesk-fever-framework_0.0.3/fever-web/target/dependency/springfox-swagger-ui-2.5.0.jar/META-INF/resources/webjars/springfox-swagger-ui/lang/pl.js
MD5: 389b5ed50d756a6d72ab0c59aa2d174a
SHA1: 8d940a76b6d703d85fcd1a21680ef574ddd4023a
SHA256:b6853a3d820dfb1831b95950479fdd8c5d8cabbb5faa7ae710878d6c047c31fc

Identifiers

  • None

springfox-swagger-ui-2.5.0.jar: pt.js

File Path: /mnt/sonarshell/projects/udesk-fever-framework_0.0.3/fever-web/target/dependency/springfox-swagger-ui-2.5.0.jar/META-INF/resources/webjars/springfox-swagger-ui/lang/pt.js
MD5: 728b749a4eeaf63cb35a175ce4fc4dd2
SHA1: 567a0bcb625d51bb0d7335589a63b57cc8d1fedd
SHA256:f52067367cd70203e726b6f2c957dfdafd3f3eb1821e973867c93b70abe003b1

Identifiers

  • None

springfox-swagger-ui-2.5.0.jar: ru.js

File Path: /mnt/sonarshell/projects/udesk-fever-framework_0.0.3/fever-web/target/dependency/springfox-swagger-ui-2.5.0.jar/META-INF/resources/webjars/springfox-swagger-ui/lang/ru.js
MD5: a1e954e6c00d0df21f4f99463e87424f
SHA1: 970b8e7dd9c2ee5d12cccd9b1b5a2b56b911f7c2
SHA256:902577d6a9edece7ffcda6a63c4283faf649dd947b519c4659cfe35dbad8e809

Identifiers

  • None

springfox-swagger-ui-2.5.0.jar: springfox.js

File Path: /mnt/sonarshell/projects/udesk-fever-framework_0.0.3/fever-web/target/dependency/springfox-swagger-ui-2.5.0.jar/META-INF/resources/webjars/springfox-swagger-ui/springfox.js
MD5: de218e8da665ca4e753dbe43dc7cddb7
SHA1: 2fb21782abd3980761f31010209aaceb56d60431
SHA256:866dc1b7631f0d576546768ce099201fbbd8e771cd603ac04cf2977f51a28cd4

Identifiers

  • None

springfox-swagger-ui-2.5.0.jar: swagger-oauth.js

File Path: /mnt/sonarshell/projects/udesk-fever-framework_0.0.3/fever-web/target/dependency/springfox-swagger-ui-2.5.0.jar/META-INF/resources/webjars/springfox-swagger-ui/lib/swagger-oauth.js
MD5: 6a45dbfe7ea1fb69face094ec047d4ba
SHA1: 2fc12af5b6ef80b1a15309846da19666a79904b5
SHA256:371abdde4d67efaa8f6f566fb77f57c3bf12796e44c19cc934898e37932a22a8

Identifiers

  • None

springfox-swagger-ui-2.5.0.jar: swagger-ui.min.js

File Path: /mnt/sonarshell/projects/udesk-fever-framework_0.0.3/fever-web/target/dependency/springfox-swagger-ui-2.5.0.jar/META-INF/resources/webjars/springfox-swagger-ui/swagger-ui.min.js
MD5: d83cabba2a5b98948da0e927aaa1d8ae
SHA1: 036017e04301d223ae955aec1978ded5139798ee
SHA256:ceadb3d6acb6cd681f1b2975d08f83d9e07e6c0e59a3b9943cfd45219f0c9026

Identifiers

  • None

springfox-swagger-ui-2.5.0.jar: tr.js

File Path: /mnt/sonarshell/projects/udesk-fever-framework_0.0.3/fever-web/target/dependency/springfox-swagger-ui-2.5.0.jar/META-INF/resources/webjars/springfox-swagger-ui/lang/tr.js
MD5: 755acffd181528cd33d83585b07f8d55
SHA1: 5b854a3e6efd168830b182306531c02a288329a6
SHA256:2c1f42a57860ecf8e70e2a5706748131940eb43b730d72913053ffaa2c511993

Identifiers

  • None

springfox-swagger-ui-2.5.0.jar: translator.js

File Path: /mnt/sonarshell/projects/udesk-fever-framework_0.0.3/fever-web/target/dependency/springfox-swagger-ui-2.5.0.jar/META-INF/resources/webjars/springfox-swagger-ui/lang/translator.js
MD5: 41f73296d6057069ffcdc44e072bd06c
SHA1: a2e3ab15c2ebac12ca88db561be990c3664e39f0
SHA256:3c3d409d64155c4eaf090225dd726d279a7ccf2a7c039462573490184ec915a1

Identifiers

  • None

springfox-swagger-ui-2.5.0.jar: underscore-min.js

File Path: /mnt/sonarshell/projects/udesk-fever-framework_0.0.3/fever-web/target/dependency/springfox-swagger-ui-2.5.0.jar/META-INF/resources/webjars/springfox-swagger-ui/lib/underscore-min.js
MD5: 137af05d496f59d468d1ffbce32f375d
SHA1: fb26909af4ad2a6c240b9aa4b35bb983cf4b20e4
SHA256:7b6fbd8af1c538408f2fe7eef5f6c52b85db12ab91b63277287e5e9ea83a4931

Identifiers

  • None

springfox-swagger-ui-2.5.0.jar: zh-cn.js

File Path: /mnt/sonarshell/projects/udesk-fever-framework_0.0.3/fever-web/target/dependency/springfox-swagger-ui-2.5.0.jar/META-INF/resources/webjars/springfox-swagger-ui/lang/zh-cn.js
MD5: bd6bf4ffb7b327be8976e5df36d4db6b
SHA1: d6c562c4856d2eac83576567cb062536d6e8c9c5
SHA256:4633c1760afe2d1ff272d0427fc8b1c8a294fb38d28f3d49f1eecc4ffc4c91f9

Identifiers

  • None

springfox-swagger2-2.5.0.jar

Description:

JSON API documentation for spring based applications

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /mnt/sonarshell/projects/udesk-fever-framework_0.0.3/fever-web/target/dependency/springfox-swagger2-2.5.0.jar
MD5: c7f2a1fae5d3982d46b7a67ad89f1d51
SHA1: b5f50caa259409ef25930d00c3cd48ba44afb97a
SHA256:dc3dccee8979626b7a36163a146182a6b89c75ecfe6d6d3fd79867f724e38d93

Identifiers

swagger-annotations-1.5.9.jar

License:

http://www.apache.org/licenses/LICENSE-2.0.html
File Path: /mnt/sonarshell/projects/udesk-fever-framework_0.0.3/fever-web/target/dependency/swagger-annotations-1.5.9.jar
MD5: 6f047e8c85031002929d59690ed6f6ef
SHA1: 0598403e3d21da08f8e46efb9f2b6d7b1bc0046d
SHA256:53f422e10442bfade487cbd18bceef4fae17b2ac74e342f7ed427640b1c57020

Identifiers

swagger-core-1.5.4.jar

License:

http://www.apache.org/licenses/LICENSE-2.0.html
File Path: /mnt/sonarshell/projects/udesk-fever-framework_0.0.3/fever-web/target/dependency/swagger-core-1.5.4.jar
MD5: d2078703a0b4648fcdc5f3e59254c1d4
SHA1: 0ed9d5cb44f888fa34c9071afbf8d0916f2dfb7e
SHA256:38ca1dd588e00d21309bfd35efe10baf64ed9f7920e05ecec2bb12e51281d071

Identifiers

swagger-models-1.5.9.jar

License:

http://www.apache.org/licenses/LICENSE-2.0.html
File Path: /mnt/sonarshell/projects/udesk-fever-framework_0.0.3/fever-web/target/dependency/swagger-models-1.5.9.jar
MD5: 8a7ab881debb167ddf6c29d7ea5741ee
SHA1: 7cc6e2b63619d826f9da4203630ab7add866a473
SHA256:4d6f020cdbbbe92068fe254def0b5cd1221402ab84ee03c915ec5f854358d56d

Identifiers

swagger-parser-1.0.13.jar

File Path: /mnt/sonarshell/projects/udesk-fever-framework_0.0.3/fever-web/target/dependency/swagger-parser-1.0.13.jar
MD5: def76a2139183415c930eda726557169
SHA1: 1de172858472bd00f529904f2dea07df2a795b31
SHA256:e03a8c8e70262fd5bf9e1a4a92c1d58c0e25a33086582e3c6d517d8689f866fa

Identifiers

CVE-2017-1000207  

A vulnerability in Swagger-Parser's version <= 1.0.30 and Swagger codegen version <= 2.2.2 yaml parsing functionality results in arbitrary code being executed when a maliciously crafted yaml Open-API specification is parsed. This in particular, affects the 'generate' and 'validate' command in swagger-codegen (<= 2.2.2) and can lead to arbitrary code being executed when these commands are used on a well-crafted yaml specification.
CWE-502 Deserialization of Untrusted Data

CVSSv2:
  • Base Score: MEDIUM (6.8)
  • Vector: /AV:N/AC:M/Au:N/C:P/I:P/A:P
CVSSv3:
  • Base Score: HIGH (8.8)
  • Vector: /AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2017-1000208  

A vulnerability in Swagger-Parser's (version <= 1.0.30) yaml parsing functionality results in arbitrary code being executed when a maliciously crafted yaml Open-API specification is parsed. This in particular, affects the 'generate' and 'validate' command in swagger-codegen (<= 2.2.2) and can lead to arbitrary code being executed when these commands are used on a well-crafted yaml specification.
CWE-502 Deserialization of Untrusted Data

CVSSv2:
  • Base Score: MEDIUM (6.8)
  • Vector: /AV:N/AC:M/Au:N/C:P/I:P/A:P
CVSSv3:
  • Base Score: HIGH (8.8)
  • Vector: /AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

swagger2markup-0.9.2.jar

Description:

A Swagger to Markup (AsciiDoc and Markdown) converter.

License:

Apache-2.0: https://github.com/Swagger2Markup/swagger2markup/blob/master/LICENSE.txt
File Path: /mnt/sonarshell/projects/udesk-fever-framework_0.0.3/fever-web/target/dependency/swagger2markup-0.9.2.jar
MD5: a8f5544849fd1838bbae7a537738db80
SHA1: 1828032b952ccd1fbd525ac0a46cfcc15e0176f7
SHA256:b6b7fb5687e507deb22ed843ce00869a41000d143075b69f7f5c40774be98a76

Identifiers

t-digest-3.0.jar

Description:

Data structure which allows accurate estimation of quantiles and related rank statistics

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /mnt/sonarshell/projects/udesk-fever-framework_0.0.3/fever-elasticsearch/target/dependency/t-digest-3.0.jar
MD5: e7ede835f73c70cc662ca4d241250f1a
SHA1: 84ccf145ac2215e6bfa63baa3101c0af41017cfc
SHA256:5271fc25f94c01fa7a0e30a522118705bf3db7441a0b9636e5122b05a3d9c35d

Identifiers

tomcat-embed-core-8.5.11.jar

Description:

Core Tomcat implementation

License:

Apache License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /mnt/sonarshell/projects/udesk-fever-framework_0.0.3/fever-parent/target/dependency/tomcat-embed-core-8.5.11.jar
MD5: dbaf0cf045f317f6c934cd34d23941e8
SHA1: 72761f51fc7cef3ee19d4aafc7adc605df9f611f
SHA256:e88bebb48bc541f79d114bb00b2e7bac024ad1723b2c32220655518880089555

Identifiers

CVE-2017-12617  

When running Apache Tomcat versions 9.0.0.M1 to 9.0.0, 8.5.0 to 8.5.22, 8.0.0.RC1 to 8.0.46 and 7.0.0 to 7.0.81 with HTTP PUTs enabled (e.g. via setting the readonly initialisation parameter of the Default servlet to false) it was possible to upload a JSP file to the server via a specially crafted request. This JSP could then be requested and any code it contained would be executed by the server.
CWE-434 Unrestricted Upload of File with Dangerous Type

CVSSv2:
  • Base Score: MEDIUM (6.8)
  • Vector: /AV:N/AC:M/Au:N/C:P/I:P/A:P
CVSSv3:
  • Base Score: HIGH (8.1)
  • Vector: /AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2017-5647  

A bug in the handling of the pipelined requests in Apache Tomcat 9.0.0.M1 to 9.0.0.M18, 8.5.0 to 8.5.12, 8.0.0.RC1 to 8.0.42, 7.0.0 to 7.0.76, and 6.0.0 to 6.0.52, when send file was used, results in the pipelined request being lost when send file processing of the previous request completed. This could result in responses appearing to be sent for the wrong request. For example, a user agent that sent requests A, B and C could see the correct response for request A, the response for request C for request B and no response for request C.
CWE-200 Information Exposure

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:N
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: /AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2017-5648  

While investigating bug 60718, it was noticed that some calls to application listeners in Apache Tomcat 9.0.0.M1 to 9.0.0.M17, 8.5.0 to 8.5.11, 8.0.0.RC1 to 8.0.41, and 7.0.0 to 7.0.75 did not use the appropriate facade object. When running an untrusted application under a SecurityManager, it was therefore possible for that untrusted application to retain a reference to the request or response object and thereby access and/or modify information associated with another web application.
CWE-668 Exposure of Resource to Wrong Sphere

CVSSv2:
  • Base Score: MEDIUM (6.4)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:N
CVSSv3:
  • Base Score: CRITICAL (9.1)
  • Vector: /AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2017-5650  

In Apache Tomcat 9.0.0.M1 to 9.0.0.M18 and 8.5.0 to 8.5.12, the handling of an HTTP/2 GOAWAY frame for a connection did not close streams associated with that connection that were currently waiting for a WINDOW_UPDATE before allowing the application to write more data. These waiting streams each consumed a thread. A malicious client could therefore construct a series of HTTP/2 requests that would consume all available processing threads.
CWE-404 Improper Resource Shutdown or Release

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:P
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: /AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2017-5651  

In Apache Tomcat 9.0.0.M1 to 9.0.0.M18 and 8.5.0 to 8.5.12, the refactoring of the HTTP connectors introduced a regression in the send file processing. If the send file processing completed quickly, it was possible for the Processor to be added to the processor cache twice. This could result in the same Processor being used for multiple requests which in turn could lead to unexpected errors and/or response mix-up.
NVD-CWE-noinfo

CVSSv2:
  • Base Score: HIGH (7.5)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: /AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2017-5664  

The error page mechanism of the Java Servlet Specification requires that, when an error occurs and an error page is configured for the error that occurred, the original request and response are forwarded to the error page. This means that the request is presented to the error page with the original HTTP method. If the error page is a static file, expected behaviour is to serve content of the file as if processing a GET request, regardless of the actual HTTP method. The Default Servlet in Apache Tomcat 9.0.0.M1 to 9.0.0.M20, 8.5.0 to 8.5.14, 8.0.0.RC1 to 8.0.43 and 7.0.0 to 7.0.77 did not do this. Depending on the original request this could lead to unexpected and undesirable results for static error pages including, if the DefaultServlet is configured to permit writes, the replacement or removal of the custom error page. Notes for other user provided error pages: (1) Unless explicitly coded otherwise, JSPs ignore the HTTP method. JSPs used as error pages must must ensure that they handle any error dispatch as a GET request, regardless of the actual method. (2) By default, the response generated by a Servlet does depend on the HTTP method. Custom Servlets used as error pages must ensure that they handle any error dispatch as a GET request, regardless of the actual method.
CWE-755 Improper Handling of Exceptional Conditions

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:N
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: /AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2017-7674  

The CORS Filter in Apache Tomcat 9.0.0.M1 to 9.0.0.M21, 8.5.0 to 8.5.15, 8.0.0.RC1 to 8.0.44 and 7.0.41 to 7.0.78 did not add an HTTP Vary header indicating that the response varies depending on Origin. This permitted client and server side cache poisoning in some circumstances.
CWE-345 Insufficient Verification of Data Authenticity

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:N/I:N/A:N
CVSSv3:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2017-7675  

The HTTP/2 implementation in Apache Tomcat 9.0.0.M1 to 9.0.0.M21 and 8.5.0 to 8.5.15 bypassed a number of security checks that prevented directory traversal attacks. It was therefore possible to bypass security constraints using a specially crafted URL.
CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:N
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: /AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2018-11784  

When the default servlet in Apache Tomcat versions 9.0.0.M1 to 9.0.11, 8.5.0 to 8.5.33 and 7.0.23 to 7.0.90 returned a redirect to a directory (e.g. redirecting to '/foo/' when the user requested '/foo') a specially crafted URL could be used to cause the redirect to be generated to any URI of the attackers choice.
CWE-601 URL Redirection to Untrusted Site ('Open Redirect')

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:N/I:N/A:N
CVSSv3:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2018-1304  

The URL pattern of "" (the empty string) which exactly maps to the context root was not correctly handled in Apache Tomcat 9.0.0.M1 to 9.0.4, 8.5.0 to 8.5.27, 8.0.0.RC1 to 8.0.49 and 7.0.0 to 7.0.84 when used as part of a security constraint definition. This caused the constraint to be ignored. It was, therefore, possible for unauthorised users to gain access to web application resources that should have been protected. Only security constraints with a URL pattern of the empty string were affected.
NVD-CWE-noinfo

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:P/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (5.9)
  • Vector: /AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2018-1305  

Security constraints defined by annotations of Servlets in Apache Tomcat 9.0.0.M1 to 9.0.4, 8.5.0 to 8.5.27, 8.0.0.RC1 to 8.0.49 and 7.0.0 to 7.0.84 were only applied once a Servlet had been loaded. Because security constraints defined in this way apply to the URL pattern and any URLs below that point, it was possible - depending on the order Servlets were loaded - for some security constraints not to be applied. This could have exposed resources to users who were not authorised to access them.
NVD-CWE-noinfo

CVSSv2:
  • Base Score: MEDIUM (4.0)
  • Vector: /AV:N/AC:L/Au:S/C:P/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (6.5)
  • Vector: /AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2018-1336  

An improper handing of overflow in the UTF-8 decoder with supplementary characters can lead to an infinite loop in the decoder causing a Denial of Service. Versions Affected: Apache Tomcat 9.0.0.M9 to 9.0.7, 8.5.0 to 8.5.30, 8.0.0.RC1 to 8.0.51, and 7.0.28 to 7.0.86.
CWE-835 Loop with Unreachable Exit Condition ('Infinite Loop')

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:P
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: /AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2018-8014  

The defaults settings for the CORS filter provided in Apache Tomcat 9.0.0.M1 to 9.0.8, 8.5.0 to 8.5.31, 8.0.0.RC1 to 8.0.52, 7.0.41 to 7.0.88 are insecure and enable 'supportsCredentials' for all origins. It is expected that users of the CORS filter will have configured it appropriately for their environment rather than using it in the default configuration. Therefore, it is expected that most users will not be impacted by this issue.
CWE-1188

CVSSv2:
  • Base Score: HIGH (7.5)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: /AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2018-8034  

The host name verification when using TLS with the WebSocket client was missing. It is now enabled by default. Versions Affected: Apache Tomcat 9.0.0.M1 to 9.0.9, 8.5.0 to 8.5.31, 8.0.0.RC1 to 8.0.52, and 7.0.35 to 7.0.88.
CWE-295 Improper Certificate Validation

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:N
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: /AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2018-8037  

If an async request was completed by the application at the same time as the container triggered the async timeout, a race condition existed that could result in a user seeing a response intended for a different user. An additional issue was present in the NIO and NIO2 connectors that did not correctly track the closure of the connection when an async request was completed by the application and timed out by the container at the same time. This could also result in a user seeing a response intended for another user. Versions Affected: Apache Tomcat 9.0.0.M9 to 9.0.9 and 8.5.5 to 8.5.31.
CWE-362 Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:P/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (5.9)
  • Vector: /AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2019-0199  

The HTTP/2 implementation in Apache Tomcat 9.0.0.M1 to 9.0.14 and 8.5.0 to 8.5.37 accepted streams with excessive numbers of SETTINGS frames and also permitted clients to keep streams open without reading/writing request/response data. By keeping streams open for requests that utilised the Servlet API's blocking I/O, clients were able to cause server-side threads to block eventually leading to thread exhaustion and a DoS.
CWE-400 Uncontrolled Resource Consumption ('Resource Exhaustion')

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:P
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: /AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2019-0221  

The SSI printenv command in Apache Tomcat 9.0.0.M1 to 9.0.0.17, 8.5.0 to 8.5.39 and 7.0.0 to 7.0.93 echoes user provided data without escaping and is, therefore, vulnerable to XSS. SSI is disabled by default. The printenv command is intended for debugging and is unlikely to be present in a production website.
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:N/I:N/A:N
CVSSv3:
  • Base Score: MEDIUM (6.1)
  • Vector: /AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2019-0232  

When running on Windows with enableCmdLineArguments enabled, the CGI Servlet in Apache Tomcat 9.0.0.M1 to 9.0.17, 8.5.0 to 8.5.39 and 7.0.0 to 7.0.93 is vulnerable to Remote Code Execution due to a bug in the way the JRE passes command line arguments to Windows. The CGI Servlet is disabled by default. The CGI option enableCmdLineArguments is disable by default in Tomcat 9.0.x (and will be disabled by default in all versions in response to this vulnerability). For a detailed explanation of the JRE behaviour, see Markus Wulftange's blog (https://codewhitesec.blogspot.com/2016/02/java-and-command-line-injections-in-windows.html) and this archived MSDN blog (https://web.archive.org/web/20161228144344/https://blogs.msdn.microsoft.com/twistylittlepassagesallalike/2011/04/23/everyone-quotes-command-line-arguments-the-wrong-way/).
CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

CVSSv2:
  • Base Score: HIGH (9.3)
  • Vector: /AV:N/AC:M/Au:N/C:C/I:C/A:C
CVSSv3:
  • Base Score: HIGH (8.1)
  • Vector: /AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2019-10072  

The fix for CVE-2019-0199 was incomplete and did not address HTTP/2 connection window exhaustion on write in Apache Tomcat versions 9.0.0.M1 to 9.0.19 and 8.5.0 to 8.5.40 . By not sending WINDOW_UPDATE messages for the connection window (stream 0) clients were able to cause server-side threads to block eventually leading to thread exhaustion and a DoS.
CWE-667 Improper Locking

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:P
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: /AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2019-12418  

When Apache Tomcat 9.0.0.M1 to 9.0.28, 8.5.0 to 8.5.47, 7.0.0 and 7.0.97 is configured with the JMX Remote Lifecycle Listener, a local attacker without access to the Tomcat process or configuration files is able to manipulate the RMI registry to perform a man-in-the-middle attack to capture user names and passwords used to access the JMX interface. The attacker can then use these credentials to access the JMX interface and gain complete control over the Tomcat instance.
CWE-522 Insufficiently Protected Credentials

CVSSv2:
  • Base Score: MEDIUM (4.4)
  • Vector: /AV:L/AC:M/Au:N/C:P/I:P/A:P
CVSSv3:
  • Base Score: HIGH (7.0)
  • Vector: /AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2019-17563  

When using FORM authentication with Apache Tomcat 9.0.0.M1 to 9.0.29, 8.5.0 to 8.5.49 and 7.0.0 to 7.0.98 there was a narrow window where an attacker could perform a session fixation attack. The window was considered too narrow for an exploit to be practical but, erring on the side of caution, this issue has been treated as a security vulnerability.
CWE-384 Session Fixation

CVSSv2:
  • Base Score: MEDIUM (5.1)
  • Vector: /AV:N/AC:H/Au:N/C:P/I:P/A:P
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: /AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2020-11996  

A specially crafted sequence of HTTP/2 requests sent to Apache Tomcat 10.0.0-M1 to 10.0.0-M5, 9.0.0.M1 to 9.0.35 and 8.5.0 to 8.5.55 could trigger high CPU usage for several seconds. If a sufficient number of such requests were made on concurrent HTTP/2 connections, the server could become unresponsive.
CWE-400 Uncontrolled Resource Consumption ('Resource Exhaustion')

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:P
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: /AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2020-13934  

An h2c direct connection to Apache Tomcat 10.0.0-M1 to 10.0.0-M6, 9.0.0.M5 to 9.0.36 and 8.5.1 to 8.5.56 did not release the HTTP/1.1 processor after the upgrade to HTTP/2. If a sufficient number of such requests were made, an OutOfMemoryException could occur leading to a denial of service.
CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:P
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: /AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2020-13935  

The payload length in a WebSocket frame was not correctly validated in Apache Tomcat 10.0.0-M1 to 10.0.0-M6, 9.0.0.M1 to 9.0.36, 8.5.0 to 8.5.56 and 7.0.27 to 7.0.104. Invalid payload lengths could trigger an infinite loop. Multiple requests with invalid payload lengths could lead to a denial of service.
CWE-835 Loop with Unreachable Exit Condition ('Infinite Loop')

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:P
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: /AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2020-13943  

If an HTTP/2 client connecting to Apache Tomcat 10.0.0-M1 to 10.0.0-M7, 9.0.0.M1 to 9.0.37 or 8.5.0 to 8.5.57 exceeded the agreed maximum number of concurrent streams for a connection (in violation of the HTTP/2 protocol), it was possible that a subsequent request made on that connection could contain HTTP headers - including HTTP/2 pseudo headers - from a previous request rather than the intended headers. This could lead to users seeing responses for unexpected resources.
NVD-CWE-noinfo

CVSSv2:
  • Base Score: MEDIUM (4.0)
  • Vector: /AV:N/AC:L/Au:S/C:P/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2020-1935  

In Apache Tomcat 9.0.0.M1 to 9.0.30, 8.5.0 to 8.5.50 and 7.0.0 to 7.0.99 the HTTP header parsing code used an approach to end-of-line parsing that allowed some invalid HTTP headers to be parsed as valid. This led to a possibility of HTTP Request Smuggling if Tomcat was located behind a reverse proxy that incorrectly handled the invalid Transfer-Encoding header in a particular manner. Such a reverse proxy is considered unlikely.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')

CVSSv2:
  • Base Score: MEDIUM (5.8)
  • Vector: /AV:N/AC:M/Au:N/C:P/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (4.8)
  • Vector: /AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2020-1938  

When using the Apache JServ Protocol (AJP), care must be taken when trusting incoming connections to Apache Tomcat. Tomcat treats AJP connections as having higher trust than, for example, a similar HTTP connection. If such connections are available to an attacker, they can be exploited in ways that may be surprising. In Apache Tomcat 9.0.0.M1 to 9.0.0.30, 8.5.0 to 8.5.50 and 7.0.0 to 7.0.99, Tomcat shipped with an AJP Connector enabled by default that listened on all configured IP addresses. It was expected (and recommended in the security guide) that this Connector would be disabled if not required. This vulnerability report identified a mechanism that allowed: - returning arbitrary files from anywhere in the web application - processing any file in the web application as a JSP Further, if the web application allowed file upload and stored those files within the web application (or the attacker was able to control the content of the web application by some other means) then this, along with the ability to process a file as a JSP, made remote code execution possible. It is important to note that mitigation is only required if an AJP port is accessible to untrusted users. Users wishing to take a defence-in-depth approach and block the vector that permits returning arbitrary files and execution as JSP may upgrade to Apache Tomcat 9.0.31, 8.5.51 or 7.0.100 or later. A number of changes were made to the default AJP Connector configuration in 9.0.31 to harden the default configuration. It is likely that users upgrading to 9.0.31, 8.5.51 or 7.0.100 or later will need to make small changes to their configurations.
CWE-20 Improper Input Validation

CVSSv2:
  • Base Score: HIGH (7.5)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: /AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2020-8022  

A Incorrect Default Permissions vulnerability in the packaging of tomcat on SUSE Enterprise Storage 5, SUSE Linux Enterprise Server 12-SP2-BCL, SUSE Linux Enterprise Server 12-SP2-LTSS, SUSE Linux Enterprise Server 12-SP3-BCL, SUSE Linux Enterprise Server 12-SP3-LTSS, SUSE Linux Enterprise Server 12-SP4, SUSE Linux Enterprise Server 12-SP5, SUSE Linux Enterprise Server 15-LTSS, SUSE Linux Enterprise Server for SAP 12-SP2, SUSE Linux Enterprise Server for SAP 12-SP3, SUSE Linux Enterprise Server for SAP 15, SUSE OpenStack Cloud 7, SUSE OpenStack Cloud 8, SUSE OpenStack Cloud Crowbar 8 allows local attackers to escalate from group tomcat to root. This issue affects: SUSE Enterprise Storage 5 tomcat versions prior to 8.0.53-29.32.1. SUSE Linux Enterprise Server 12-SP2-BCL tomcat versions prior to 8.0.53-29.32.1. SUSE Linux Enterprise Server 12-SP2-LTSS tomcat versions prior to 8.0.53-29.32.1. SUSE Linux Enterprise Server 12-SP3-BCL tomcat versions prior to 8.0.53-29.32.1. SUSE Linux Enterprise Server 12-SP3-LTSS tomcat versions prior to 8.0.53-29.32.1. SUSE Linux Enterprise Server 12-SP4 tomcat versions prior to 9.0.35-3.39.1. SUSE Linux Enterprise Server 12-SP5 tomcat versions prior to 9.0.35-3.39.1. SUSE Linux Enterprise Server 15-LTSS tomcat versions prior to 9.0.35-3.57.3. SUSE Linux Enterprise Server for SAP 12-SP2 tomcat versions prior to 8.0.53-29.32.1. SUSE Linux Enterprise Server for SAP 12-SP3 tomcat versions prior to 8.0.53-29.32.1. SUSE Linux Enterprise Server for SAP 15 tomcat versions prior to 9.0.35-3.57.3. SUSE OpenStack Cloud 7 tomcat versions prior to 8.0.53-29.32.1. SUSE OpenStack Cloud 8 tomcat versions prior to 8.0.53-29.32.1. SUSE OpenStack Cloud Crowbar 8 tomcat versions prior to 8.0.53-29.32.1.
CWE-276 Incorrect Default Permissions

CVSSv2:
  • Base Score: HIGH (7.2)
  • Vector: /AV:L/AC:L/Au:N/C:C/I:C/A:C
CVSSv3:
  • Base Score: HIGH (8.4)
  • Vector: /AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2020-9484  

When using Apache Tomcat versions 10.0.0-M1 to 10.0.0-M4, 9.0.0.M1 to 9.0.34, 8.5.0 to 8.5.54 and 7.0.0 to 7.0.103 if a) an attacker is able to control the contents and name of a file on the server; and b) the server is configured to use the PersistenceManager with a FileStore; and c) the PersistenceManager is configured with sessionAttributeValueClassNameFilter="null" (the default unless a SecurityManager is used) or a sufficiently lax filter to allow the attacker provided object to be deserialized; and d) the attacker knows the relative file path from the storage location used by FileStore to the file the attacker has control over; then, using a specifically crafted request, the attacker will be able to trigger remote code execution via deserialization of the file under their control. Note that all of conditions a) to d) must be true for the attack to succeed.
CWE-502 Deserialization of Untrusted Data

CVSSv2:
  • Base Score: MEDIUM (4.4)
  • Vector: /AV:L/AC:M/Au:N/C:P/I:P/A:P
CVSSv3:
  • Base Score: HIGH (7.0)
  • Vector: /AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

tomcat-embed-el-8.5.11.jar

Description:

Core Tomcat implementation

License:

Apache License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /mnt/sonarshell/projects/udesk-fever-framework_0.0.3/fever-migration/target/dependency/tomcat-embed-el-8.5.11.jar
MD5: a0219ec6183ec52f79aa24cb341b822f
SHA1: 60253815b897166903bf5ec41219c5bb15333a69
SHA256:14f8746e75ac9b81a4c70c2bd81f00822f75953565b54988f323f2eb0c683bef

Identifiers

tomcat-juli-8.5.11.jar

Description:

Tomcat Core Logging Package

License:

Apache License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /mnt/sonarshell/projects/udesk-fever-framework_0.0.3/fever-sms-http/target/dependency/tomcat-juli-8.5.11.jar
MD5: fea6f5dd1fe9cc963af3b291c6e0ac43
SHA1: fa0b261ce002175b65ebb6ae8eb4345cb7e57da3
SHA256:73373479452945054d110cc6c987898bfa6ad6a20f8709018b94bf888a51705c

Identifiers

tools-1.8.0.jar

File Path: /mnt/sonarshell/projects/udesk-fever-framework_0.0.3/fever-shiro-redis/target/dependency/tools-1.8.0.jar
MD5: d1e9463b86029989ad0e3d09859b931e
SHA1: 63eca2ac6ea0d273b8b8ec1469708294889b2d60
SHA256:6c5910dbc5c10213f3ad0b4d5fe14464b2cc9792c252157d4ea1b29d4e5ab46c

Identifiers

  • None

tools-1.8.0.jar: hat.js

File Path: /mnt/sonarshell/projects/udesk-fever-framework_0.0.3/fever-shiro-redis/target/dependency/tools-1.8.0.jar/com/sun/tools/hat/resources/hat.js
MD5: 5b9bb94cd3d4b0b80c0b8de391f8213c
SHA1: 5f4cb38488c11cd2f604358d18a41b6cd591c3af
SHA256:1ccdc8b5ce7cb76170d8d873f5fdf3b4ab64c17110349bd172e49331c0d78564

Identifiers

  • None

tools-1.8.0.jar: init.js

File Path: /mnt/sonarshell/projects/udesk-fever-framework_0.0.3/fever-shiro-redis/target/dependency/tools-1.8.0.jar/com/sun/tools/script/shell/init.js
MD5: c6da122401fcbff02fe56f8f7837640f
SHA1: ae8ba086aaabf38afdc61f9992119b6eb446ef43
SHA256:1100ba8df6f5176db31c1e4413c54437b33b61544df131770b0ba0b2ac6c12cf

Identifiers

  • None

tools-1.8.0.jar: script.js

File Path: /mnt/sonarshell/projects/udesk-fever-framework_0.0.3/fever-shiro-redis/target/dependency/tools-1.8.0.jar/com/sun/tools/doclets/internal/toolkit/resources/script.js
MD5: 4a010b8264c9873452f055748133bb29
SHA1: 58e5151d49209a2e12b988e84e9a74b781c68a2e
SHA256:506393161b692568f588d68beaecf9ad5d33f147abad909d9cde12918dbce7b7

Identifiers

  • None

transport-5.2.1.jar

Description:

Elasticsearch subproject :client:transport

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /mnt/sonarshell/projects/udesk-fever-framework_0.0.3/fever-elasticsearch/target/dependency/transport-5.2.1.jar
MD5: f405a3a73484f47b9a33456b08257f5b
SHA1: aa712924b420570be5b846eaeeeee84d326c40ef
SHA256:3a733799e91f9a1a472c60d0f90d963adf22f8c284b1a146200ca0189751ddb2

Identifiers

CVE-2019-7611  

A permission issue was found in Elasticsearch versions before 5.6.15 and 6.6.1 when Field Level Security and Document Level Security are disabled and the _aliases, _shrink, or _split endpoints are used . If the elasticsearch.yml file has xpack.security.dls_fls.enabled set to false, certain permission checks are skipped when users perform one of the actions mentioned above, to make existing data available under a new index/alias name. This could result in an attacker gaining additional permissions against a restricted index.
NVD-CWE-Other

CVSSv2:
  • Base Score: MEDIUM (6.8)
  • Vector: /AV:N/AC:M/Au:N/C:P/I:P/A:P
CVSSv3:
  • Base Score: HIGH (8.1)
  • Vector: /AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2019-7614  

A race condition flaw was found in the response headers Elasticsearch versions before 7.2.1 and 6.8.2 returns to a request. On a system with multiple users submitting requests, it could be possible for an attacker to gain access to response header containing sensitive data from another user.
CWE-362 Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:P/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (5.9)
  • Vector: /AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2020-7019  

In Elasticsearch before 7.9.0 and 6.8.12 a field disclosure flaw was found when running a scrolling search with Field Level Security. If a user runs the same query another more privileged user recently ran, the scrolling search can leak fields that should be hidden. This could result in an attacker gaining additional permissions against a restricted index.
CWE-269 Improper Privilege Management

CVSSv2:
  • Base Score: MEDIUM (4.0)
  • Vector: /AV:N/AC:L/Au:S/C:P/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (6.5)
  • Vector: /AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

References:

Vulnerable Software & Versions: (show all)

uri-template-0.9.jar

Description:

null

License:

Lesser General Public License, version 3 or greater: http://www.gnu.org/licenses/lgpl.html
Apache Software License, version 2.0: http://www.apache.org/licenses/LICENSE-2.0
File Path: /mnt/sonarshell/projects/udesk-fever-framework_0.0.3/fever-web/target/dependency/uri-template-0.9.jar
MD5: f0bfa64e2bbbb4da7d1913f47bcee3d7
SHA1: ab1ad5804d3c7d640f21059085df5be340e97929
SHA256:5bc99edfa927dcf5f0f7ee9ae440750139d97c8c9b5a23400b497f28adf3edc5

Identifiers

validation-api-1.1.0.Final.jar

Description:

        Bean Validation API
    

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /mnt/sonarshell/projects/udesk-fever-framework_0.0.3/fever-migration/target/dependency/validation-api-1.1.0.Final.jar
MD5: 4c257f52462860b62ab3cdab45f53082
SHA1: 8613ae82954779d518631e05daa73a6a954817d5
SHA256:f39d7ba7253e35f5ac48081ec1bc28c5df9b32ac4b7db20853e5a8e76bf7b0ed

Identifiers

velocity-1.5.jar

Description:

Apache Velocity is a general purpose template engine.

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /mnt/sonarshell/projects/udesk-fever-framework_0.0.3/fever-migration/target/dependency/velocity-1.5.jar
MD5: 8d46d30a37e1cf2047cdfa73c552e8a9
SHA1: 09f306baf7523ffc0e81a6353d08a584d254133b
SHA256:e06403f9cd69033e523bec43195a2a1b6106e28c5d7d053b569ae771e9e49a62

Identifiers

wagon-provider-api-1.0-beta-6.jar

Description:

Maven Wagon API that defines the contract between different Wagon implementations

File Path: /mnt/sonarshell/projects/udesk-fever-framework_0.0.3/fever-sms-http/target/dependency/wagon-provider-api-1.0-beta-6.jar
MD5: 63826e38e44f08e7935c1d173667ed8c
SHA1: 3f952e0282ae77ae59851d96bb18015e520b6208
SHA256:e116f32edcb77067289a3148143f2c0c97b27cf9a1342f8108ee37dec4868861

Identifiers

xercesImpl-2.8.1.jar

Description:

Xerces2 is the next generation of high performance, fully
		compliant XML parsers in the Apache Xerces family. This new
		version of Xerces introduces the Xerces Native Interface (XNI),
		a complete framework for building parser components and
		configurations that is extremely modular and easy to program.

File Path: /mnt/sonarshell/projects/udesk-fever-framework_0.0.3/fever-elasticsearch/target/dependency/xercesImpl-2.8.1.jar
MD5: e86f321c8191b37bd720ff5679f57288
SHA1: 25101e37ec0c907db6f0612cbf106ee519c1aef1
SHA256:f95f3ad141bdff5a64962f6c26b4f18ecf0975cd3a68802712284b9e6db37e1b

Identifiers

CVE-2009-2625 (OSSINDEX)  

> A denial of service flaw was found in the way the JRE processes XML. A remote attacker could use this flaw to supply crafted XML that would lead to a denial of service.
> 
> -- [redhat.com](https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2009-2625)
Unscored:
  • Severity: Unknown

References:

Vulnerable Software & Versions (OSSINDEX):

  • cpe:2.3:a:xerces:xercesImpl:2.8.1:*:*:*:*:*:*:*

CVE-2012-0881  

Apache Xerces2 Java Parser before 2.12.0 allows remote attackers to cause a denial of service (CPU consumption) via a crafted message to an XML service, which triggers hash table collisions.
CWE-399 Resource Management Errors

CVSSv2:
  • Base Score: HIGH (7.8)
  • Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:C
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: /AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions:

xml-apis-1.4.01.jar

Description:

xml-commons provides an Apache-hosted set of DOM, SAX, and 
    JAXP interfaces for use in other xml-based projects. Our hope is that we 
    can standardize on both a common version and packaging scheme for these 
    critical XML standards interfaces to make the lives of both our developers 
    and users easier. The External Components portion of xml-commons contains 
    interfaces that are defined by external standards organizations. For DOM, 
    that's the W3C; for SAX it's David Megginson and sax.sourceforge.net; for 
    JAXP it's Sun.

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
The SAX License: http://www.saxproject.org/copying.html
The W3C License: http://www.w3.org/TR/2004/REC-DOM-Level-3-Core-20040407/java-binding.zip
File Path: /mnt/sonarshell/projects/udesk-fever-framework_0.0.3/fever-mail/target/dependency/xml-apis-1.4.01.jar
MD5: 7eaad6fea5925cca6c36ee8b3e02ac9d
SHA1: 3789d9fada2d3d458c4ba2de349d48780f381ee3
SHA256:a840968176645684bb01aed376e067ab39614885f9eee44abe35a5f20ebe7fad

Identifiers

xmlpull-1.1.3.1.jar

License:

Public Domain: http://www.xmlpull.org/v1/download/unpacked/LICENSE.txt
File Path: /mnt/sonarshell/projects/udesk-fever-framework_0.0.3/fever-batch/target/dependency/xmlpull-1.1.3.1.jar
MD5: cc57dacc720eca721a50e78934b822d2
SHA1: 2b8e230d2ab644e4ecaa94db7cdedbc40c805dfa
SHA256:34e08ee62116071cbb69c0ed70d15a7a5b208d62798c59f2120bb8929324cb63

Identifiers

xpp3_min-1.1.4c.jar

Description:

MXP1 is a stable XmlPull parsing engine that is based on ideas from XPP and in particular XPP2 but completely revised and rewritten to take the best advantage of latest JIT JVMs such as Hotspot in JDK 1.4+.

License:

Indiana University Extreme! Lab Software License, vesion 1.1.1: http://www.extreme.indiana.edu/viewcvs/~checkout~/XPP3/java/LICENSE.txt
Public Domain: http://creativecommons.org/licenses/publicdomain
File Path: /mnt/sonarshell/projects/udesk-fever-framework_0.0.3/fever-batch/target/dependency/xpp3_min-1.1.4c.jar
MD5: dcd95bcb84b09897b2b66d4684c040da
SHA1: 19d4e90b43059058f6e056f794f0ea4030d60b86
SHA256:bfc90e9e32d0eab1f397fb974b5f150a815188382ac41f372a7149d5bc178008

Identifiers

xstream-1.4.7.jar

Description:

XStream is a serialization library from Java objects to XML and back.

License:

http://xstream.codehaus.org/license.html
File Path: /mnt/sonarshell/projects/udesk-fever-framework_0.0.3/fever-batch/target/dependency/xstream-1.4.7.jar
MD5: 9d5276eee85637842dcd2095f820e964
SHA1: bce3282142b63068260f021fcbe48b72e8d71a1a
SHA256:7f8039c0ee7284f9c2a9554b5e2bc20bf26b74b37f690633a75ff1993136f364

Identifiers

CVE-2016-3674  

Multiple XML external entity (XXE) vulnerabilities in the (1) Dom4JDriver, (2) DomDriver, (3) JDomDriver, (4) JDom2Driver, (5) SjsxpDriver, (6) StandardStaxDriver, and (7) WstxDriver drivers in XStream before 1.4.9 allow remote attackers to read arbitrary files via a crafted XML document.
CWE-200 Information Exposure

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:N
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: /AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

References:

Vulnerable Software & Versions:

CVE-2017-7957  

XStream through 1.4.9, when a certain denyTypes workaround is not used, mishandles attempts to create an instance of the primitive type 'void' during unmarshalling, leading to a remote application crash, as demonstrated by an xstream.fromXML("<void/>") call.
CWE-20 Improper Input Validation

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:P
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: /AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions:

zuul-core-1.3.0.jar

Description:

zuul-core

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /mnt/sonarshell/projects/udesk-fever-framework_0.0.3/fever-metrics/target/dependency/zuul-core-1.3.0.jar
MD5: 9533c3050e05d4198473925ab8d045a2
SHA1: 3974695eb1c9845a2fc575acfdea2d8d91deba1b
SHA256:9425cd10eecbc2ad77902f8ddbdfc0f57fa6fd573bc0a8f8e2114a05ed67c848

Identifiers



This report contains data retrieved from the National Vulnerability Database.
This report may contain data retrieved from the NPM Public Advisories.
This report may contain data retrieved from RetireJS.
This report may contain data retrieved from the Sonatype OSS Index.